Está en la página 1de 372

Unified Threat Management

Advanced Firewall – Administrator’s Guide

Smoothwall® Advanced Firewall, Administrator’s Guide, December 2013
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Advanced Firewall.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: docs@smoothwall.net
© 2001 – 2013 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Advanced Firewall contains graphics taken from the Open Icon Library project http://
openiconlibrary.sourceforge.net/
Address

Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom

Email

info@smoothwall.net

Web

www.smoothwall.net

Telephone

USA and Canada:
United Kingdom:
All other countries:

1 800 959 3760
0870 1 999 500
+44 870 1 999 500

Fax

USA and Canada:
United Kingdom:
All other countries:

1 888 899 9164
0870 1 991 399
+44 870 1 991 399

Contents
Chapter 1

Introduction .................................................... 1
Overview of Advanced Firewall ....................................................... 1
Who should read this guide? ........................................................... 1
Other User Information..................................................................... 1
Annual Renewal................................................................................. 2

Chapter 2

Advanced Firewall Overview......................... 3
Accessing Advanced Firewall .......................................................... 3
Dashboard ......................................................................................... 4
Logs and reports ............................................................................... 5
Reports............................................................................................... 5
Alerts .................................................................................................. 5
Realtime ............................................................................................. 5
Logs.................................................................................................... 6
Settings .............................................................................................. 6
Networking ........................................................................................ 7
Filtering .............................................................................................. 7
Routing............................................................................................... 7
Interfaces ........................................................................................... 7
Firewall............................................................................................... 8
Outgoing ............................................................................................ 8
Settings .............................................................................................. 8
Services.............................................................................................. 9
Authentication ................................................................................... 9
User Portal......................................................................................... 9
Proxies .............................................................................................. 9
SNMP................................................................................................ 11
DNS................................................................................................... 11
Message Censor ............................................................................. 11
Intrusion System ............................................................................. 11
DHCP................................................................................................ 12
System ............................................................................................. 13
Maintenance .................................................................................... 13
Central Management ...................................................................... 13
Preferences ..................................................................................... 13
Administration ................................................................................. 14
Hardware ......................................................................................... 14
Diagnostics ...................................................................................... 14
Certificates ...................................................................................... 14
VPN................................................................................................... 15
Configuration Guidelines................................................................ 15
Specifying Networks, Hosts and Ports ......................................... 15
Using Comments............................................................................. 16

i

Contents

Creating, Editing and Removing Rules ......................................... 16
Connecting via the Console ........................................................... 17
Connecting Using a Client ............................................................. 17
Secure Communication .................................................................. 18
Unknown Entity Warning ................................................................ 18
Inconsistent Site Address .............................................................. 18

Chapter 3

Working with Interfaces .............................. 19
Configuring Global Settings for Interfaces ................................... 19
Connecting Using an Internet Connectivity Profile ..................... 20
Connecting Using a Static Ethernet Connectivity Profile ........... 20
Connecting using a DHCP Ethernet Connectivity Profile ........... 22
Connecting using a PPP over Ethernet Connectivity Profile ...... 23
Connecting using a PPTP over Ethernet Connectivity Profile .... 25
Connecting using an ADSL/DSL Modem Connectivity Profile ... 27
Connecting using an ISDN Modem Connectivity Profile............. 28
Connecting Using a Dial-up Modem Connectivity Profile........... 30
Creating a PPP Profile .................................................................... 31
Modifying Profiles ........................................................................... 33
Deleting Profiles .............................................................................. 33
Working with Bridges ..................................................................... 33
Creating Bridges ............................................................................. 33
Editing Bridges ................................................................................ 34
Deleting Bridges.............................................................................. 34
Working with Bonded Interfaces ................................................... 34
Creating Bonds ............................................................................... 34
Editing Bonds .................................................................................. 35
Deleting Bonds ................................................................................ 35
Configuring IP Addresses .............................................................. 35
Adding an IP Address ..................................................................... 35
Editing an IP Address ..................................................................... 35
Deleting an IP Address ................................................................... 36
Virtual LANs ..................................................................................... 36
Creating a VLAN.............................................................................. 36
Editing a VLAN................................................................................. 37
Deleting a VLAN .............................................................................. 37

Chapter 4

Managing Your Network Infrastructure..... 39
Creating Subnets ............................................................................ 39
Editing and Removing Subnet Rules............................................. 40
Using RIP ......................................................................................... 40
Sources ............................................................................................ 42
Creating Source Rules.................................................................... 42
Removing a Rule ............................................................................. 43
Editing a Rule .................................................................................. 43
About IP Address Definitions ......................................................... 43
Ports ................................................................................................. 43
Creating a Ports Rule ..................................................................... 44
Creating an External Alias Rule ..................................................... 45
Editing and Removing External Alias Rules ................................. 45
Port Forwards from External Aliases ............................................ 46

ii

Smoothwall Advanced Firewall
Administrator’s Guide

Creating a Source Mapping Rule .................................................. 46
Editing and Removing Source Mapping Rules............................. 47
Managing Internal Aliases.............................................................. 47
Creating an Internal Alias Rule ...................................................... 47
Editing and Removing Internal Alias Rules................................... 48
Working with Secondary External Interfaces ............................... 48
Configuring a Secondary External Interface ................................ 48

Chapter 5

General Network Security Settings ............ 51
Blocking by IP.................................................................................. 51
Creating IP Blocking Rules ............................................................ 51
Editing and Removing IP Block Rules........................................... 52
Configuring Advanced Networking Features ............................... 52
Working with Port Groups.............................................................. 55
Creating a Port Group .................................................................... 56
Adding Ports to Existing Port Groups ........................................... 56
Editing Port Groups ........................................................................ 57
Deleting a Port Group ..................................................................... 57

Chapter 6

Configuring Inter-Zone Security................. 59
About Zone Bridging Rules ............................................................ 59
Creating a Zone Bridging Rule ...................................................... 59
Editing and Removing Zone Bridge Rules.................................... 61
A Zone Bridging Tutorial ................................................................ 61
Creating the Zone Bridging Rule ................................................... 61
Allowing Access to the Web Server .............................................. 62
Accessing a Database on the Protected Network....................... 62
Group Bridging ................................................................................ 63
Group Bridging and Authentication............................................... 63
Creating Group Bridging Rules...................................................... 63
Editing and Removing Group Bridges........................................... 65

Chapter 7

Managing Inbound and Outbound Traffic.. 67
Introduction to Port Forwards – Inbound Security ...................... 67
Port Forward Rules Criteria ........................................................... 67
Creating Port Forward Rules ......................................................... 68
Load Balancing Port Forwarded Traffic........................................ 69
Editing and Removing Port Forward Rules .................................. 69
Advanced Network and Firewall Settings..................................... 69
Network Application Helpers ......................................................... 70
Managing Bad External Traffic ...................................................... 71
Configuring Reflective Port Forwards .......................................... 71
Managing Connectivity Failback ................................................... 71
Managing Outbound Traffic and Services .................................... 72
Working with Port Rules................................................................. 72
Working with Outbound Access Policies...................................... 76
Managing External Services .......................................................... 78

Chapter 8

Advanced Firewall Services ........................ 81
Working with Portals ...................................................................... 81
Creating a Portal ............................................................................. 81
iii

Contents

Configuring a Portal........................................................................ 83
Accessing Portals ........................................................................... 86
Editing Portals ................................................................................. 86
Deleting Portals............................................................................... 86
Managing the Web Proxy Service.................................................. 87
Configuring and Enabling the Web Proxy Service ....................... 88
About Web Proxy Methods ............................................................ 91
Configuring End-user Browsers .................................................... 92
Instant Messenger Proxying .......................................................... 93
Monitoring SSL-encrypted Chats .................................................. 96
SIP Proxying .................................................................................... 96
Types of SIP Proxy .......................................................................... 96
Choosing the Type of SIP Proxying............................................... 97
Configuring SIP ............................................................................... 97
FTP Proxying ................................................................................... 99
Configuring non-Transparent FTP Proxying ................................ 99
Configuring Transparent FTP Proxying ...................................... 100
Reverse Proxy Service.................................................................. 102
Configuring the Reverse Proxy Service ...................................... 103
SNMP.............................................................................................. 104
DNS................................................................................................. 105
Adding Static DNS Hosts ............................................................. 105
Enabling the DNS Proxy Service.................................................. 106
Managing Dynamic DNS............................................................... 107
Censoring Message Content ....................................................... 109
Configuration Overview................................................................ 109
Managing Custom Categories ..................................................... 109
Setting Time Periods .................................................................... 110
Creating Filters.............................................................................. 111
Creating and Applying Message Censor Policies...................... 113
Editing Polices............................................................................... 114
Deleting Policies ........................................................................... 114
Managing the Intrusion System................................................... 114
About the Default Policies............................................................ 114
Deploying Intrusion Detection Policies....................................... 114
Deploying Intrusion Prevention Policies ..................................... 115
Creating Custom Policies............................................................. 117
Uploading Custom Signatures..................................................... 118
DHCP.............................................................................................. 119
Enabling DHCP.............................................................................. 120
Creating a DHCP Subnet.............................................................. 120
Editing a DHCP subnet ................................................................. 123
Deleting a DHCP subnet............................................................... 123
Adding a Dynamic Range ............................................................. 123
Adding a Static Assignment......................................................... 123
Adding a Static Assignment from the ARP Table ...................... 124
Editing and Removing Assignments ........................................... 124
Viewing DHCP Leases .................................................................. 124
DHCP Relaying .............................................................................. 125
Creating Custom DHCP Options ................................................. 125

iv

Smoothwall Advanced Firewall
Administrator’s Guide

Chapter 9

Virtual Private Networking ........................ 127
Advanced Firewall VPN Features ................................................ 127
What is a VPN? .............................................................................. 127
About VPN Gateways.................................................................... 128
Administrator Responsibilities..................................................... 128
About VPN Authentication............................................................ 128
PSK Authentication....................................................................... 129
X509 Authentication...................................................................... 129
Configuration Overview................................................................ 130
Working with Certificate Authorities and Certificates............... 131
Creating a CA ................................................................................ 131
Exporting the CA Certificate ........................................................ 132
Importing Another CA's Certificate ............................................. 133
Deleting the Local Certificate Authority and its Certificate ...... 133
Deleting an Imported CA Certificate ........................................... 134
Managing Certificates .................................................................. 134
Creating a Certificate ................................................................... 134
Reviewing a Certificate ................................................................ 135
Exporting Certificates................................................................... 135
Exporting in the PKCS#12 Format............................................... 136
Importing a Certificate.................................................................. 136
Deleting a Certificate .................................................................... 137
Setting the Default Local Certificate ........................................... 137
Site-to-Site VPNs – IPSec............................................................. 138
Recommended Settings ............................................................... 138
Creating an IPsec Tunnel ............................................................. 139
IPSec Site to Site and X509 Authentication – Example ............. 144
Prerequisite Overview .................................................................. 144
Creating the Tunnel on the Primary System............................... 144
Creating the Tunnel on the Secondary System.......................... 145
Checking the System is Active .................................................... 147
Activating the IPSec tunnel .......................................................... 147
IPSec Site to Site and PSK Authentication................................. 147
Creating the Tunnel Specification on Primary System.............. 147
Creating the Tunnel Specification on the Secondary System .. 148
Checking the System is Active .................................................... 149
Activating the PSK tunnel............................................................. 149
About Road Warrior VPNs............................................................ 150
Configuration Overview................................................................ 150
IPSec Road Warriors .................................................................... 151
Creating an IPSec Road Warrior ................................................. 151
Supported IPSec Clients .............................................................. 154
Creating L2TP Road Warrior Connections ................................. 154
Creating a Certificate ................................................................... 154
Configuring L2TP and SSL VPN Global Settings........................ 154
Creating an L2TP Tunnel .............................................................. 155
Configuring an iPhone-compatible Tunnel................................. 156
Using NAT-Traversal..................................................................... 157
VPNing Using L2TP Clients .......................................................... 157
L2TP Client Prerequisites............................................................. 157

v

........................................ 187 Using the Security Policy Template SoftRemote .................... 182 Example 4: IPSec Road Warrior Connection.................................................................... 169 Secure Internal Networking ..... 191 Chapter 10 Authentication and User Management ............................ 171 Creating Multiple Local Certificates................... 204 Deleting a Directory Server .................................................... 178 VPN Tutorials................................... 157 Installing an L2TP Client.................. 172 Configuring Both Ends of a Tunnel as CAs ................................... 176 Manually Controlling the VPN System .. 193 Configuring Global Authentication Settings ......................... 162 Managing SSL Road Warriors.................................................................................................Contents Connecting Using Windows XP/2000.................................................................... 196 Configuring a RADIUS Connection ............. 158 VPNing with SSL. 171 Public Key Authentication ................. 165 Configuring SSL VPN on Internal Networks .................. 204 vi ............................................ 162 Configuring VPN with SSL.......................... 177 VPN Logging .... 173 VPNs between Business Partners ...................... 194 Configuring Directories .... 166 VPN Zone Bridging.................. 165 Configuring and Connecting Clients ......................... 180 Example 3: Two Tunnels and Certificate Authentication .................................................................................................................................................................................................................................................................................................................................... 163 Managing Group Access to SSL VPNs ............................................................................................. 204 Diagnosing Directories .............................................................. 195 Configuring a Microsoft Active Directory Connection .... 173 Extended Site to Site Routing ........................................... 193 About Directory Servers ......................................... 189 Advanced Configuration........... 195 Configuring an LDAP Connection ...................................................................................................................................... 178 Example 2: X509 Authentication .................................... 169 Creating an Internal L2TP VPN .............................................................................................................................. 162 Prerequisites ........................................................... 169 Advanced VPN Configuration ........................................... 171 Multiple Local Certificates ......................................................... 183 Example 5: L2TP Road Warrior...... 178 Example 1: Preshared Key Authentication ..................................................................... 203 Editing a Directory Server ................................................ 203 Reordering Directory Servers ............................... 174 Managing VPN Systems ............................................................................... 187 Configuring IPSec Road Warriors .............................. 199 Configuring an Active Directory Connection – Legacy Method 200 Configuring a Local Users Directory.................................................................. 163 Managing Custom Client Scripts for SSL VPNs................ 176 Viewing and Controlling Tunnels................................................................................................................................................................................................... 186 Working with SafeNet SoftRemote ................... 188 Creating a Connection without the Policy File................................... 175 Automatically Starting the VPN System............................................... 164 Generating SSL VPN Archives ..

................... 217 Deleting Groups ...................... 208 About SSL Authentication .................... 210 Configuring SSL Login...... 206 Creating a Temporary Ban ..... 208 Viewing User Activity ................ 214 Configuring WPA Enterprise .................................................................................................................................................................................................................. 204 Adding Users ....................... 222 Scheduling Reports .... 219 Accessing Reporting ................................................................................................................... 206 Deleting Group Mappings .................................... 212 Managing Keytabs .............. 221 Report Permissions ....................................................... 206 Removing Temporary Bans.............................................................................................................................................................................................................................................................................................................................................. 220 Changing Report Formats................................................................................................................................... 213 Pre-requisites .............................................................. 205 Remapping Groups ................................................................ 205 Deleting Users ................ 227 vii ..... 227 About the About Page .............................. 212 Adding Keytabs .............................. 209 Reviewing SSL Login Pages .................... 207 Removing Expired Bans ................................................................... 209 Customizing the SSL Login Page ... 204 Editing Local Users....................................................................................... 213 Using WPA Enterprise ....... 217 Chapter 11 Reporting ......................... 224 Chapter 12 Information........... 220 Saving Reports .............................................................................................................................................................................................. 220 Canceling a Report ....................... 215 Provisioning the Advanced Firewall Certificate .............................. 211 Creating SSL Login Exceptions .......................................................................................................... 206 Managing Temporarily Banned Users................................................................................... 220 About Recent and Saved Reports ................ 227 About the Dashboard....................................................................................................... 219 About the Summary Page ...... 216 Adding Groups ............................................................................... 222 Making Reports Available on Portals.......................................................................................................................................................................................................................................... Alerts and Logging........................................................... 215 Managing Groups of Users ..................................................... 223 Managing Log Retention .......... 214 Configuring Access Points......................................................... 205 Mapping Groups........................................................................................................................................................................................ 208 Logging Users Out ................................................ 216 Editing Groups......................................................................................................... 219 Generating Reports............................................................. 207 Managing User Activity ........................... 216 About Groups ................................................................... 220 Managing Reports and Folders ......... 208 Banning Users ...............Smoothwall Advanced Firewall Administrator’s Guide Managing Local Users.................................................................................................. 211 Managing Kerberos Keytabs ...

................................................................................................... 252 Managing Automatic Deletion of Logs .......... 263 Creating an Archive ....................................................................................................................... 245 IDS Logs................................................................................ 255 Configuring Output Settings ......................................... 257 Generating a Test Alert............................... 227 Overview ..................................................... 261 Removing a Module ............................................................................................................................................................ 248 Web Proxy Logs . 259 Installing Updates ....................................................................................................................................................................................................................................................................... 257 Output to Email ............................................... 254 Editing a Group .................... 228 Enabling Alerts ...................................................................................................................... 263 Downloading an Archive ................................................................................................................................ 246 IPS Logs .................................................................. 261 Licenses .... 237 Logs.......................................................................................................... 255 Deleting a Group ................................................ 256 Configuring Email to SMS Output . 229 Looking up an Alert by Its Reference.......................................................................................................................................................................................... 249 User Portal Logs ................................................................................................ 258 Chapter 13 Managing Your Advanced Firewall................................................................................................................ 233 Realtime System Information ........................................................................................................ 230 Realtime ................ 253 Configuring Groups ................................................................................................................................................................................................................ 257 Testing Email to SMS Output............................................................................................................... 235 Realtime Portal Information ................................................................. 247 IM Proxy Logs...................... 255 About Email to SMS Output ..... 262 About Archive Profiles ......................... 254 Creating Groups.................................................................. 236 Realtime Instant Messaging ................................................. 238 System Logs . 233 Realtime Firewall Information.........Contents Alerts ................ 251 Configuring Log Settings .................................................................................................................................... 230 Configuring Alert Settings......... 243 Email Logs ......... 262 Archives ............................................................................... 256 About Placeholder Tags .... 260 Managing Modules ............... 241 IPSec Logs................................................ 259 Installing Updates ................................................. 239 Firewall Logs ............................................................. 227 Available Alerts......... 263 viii ....................................................................................................................................................................... 249 Reverse Proxy Logs ......................................................................... 234 Realtime IPsec Information................... 251 Configuring Other Log Settings........................................................................................... 237 Realtime Traffic Graphs ................................................................................................ 259 Installing Updates on a Failover System.............................................................. 262 Installing Licenses ...........................

........................................................................... 272 Configuring Admin Access Options .............................................. 279 How does it work? ...................... 283 Testing Failover....... 276 Deleting a Tenant .......... 280 Configuring Hardware Failover...................................................................................................................................... 288 Whois......................................................................................................................................Smoothwall Advanced Firewall Administrator’s Guide Restoring an Archive .............. 270 Configuring the Hostname ....................................................................... 286 Generating Diagnostics .......................... 290 Deleting and Restoring Certificates ................................................... 286 Configuration Tests ...................................................................................................................................... 289 Managing CA Certificates ........ 290 Importing CA Certificates................ 286 Diagnostics ............................... 287 IP Tools ........................ 268 Configuring the User Interface .. 274 Managing Tenants .......................... 290 Reviewing CA Certificates .......................... 274 Administrative User Settings .................................................................... 290 Exporting CA Certificates..................................................... 272 Referral Checking .................................... 269 Configuring Registration Options..... 267 Shutting down and Rebooting ...... 275 Adding a Tenant .......................................................................................... 290 Chapter 14 Centrally Managing Smoothwall Systems291 About Centrally Managing Smoothwall Systems....................... 292 Configuring Child Nodes ..... 293 Adding Child Nodes to the System ............................................................................................... 291 Setting up a Centrally Managed Smoothwall System .................................................................................................................................................................................................................................................................................. 291 Pre-requirements ............................ 276 Managing UPS Devices ........................................................................ 264 Uploading an Archive............... 273 Editing and Removing External Access Rules ....................... 275 Editing a Tenant ........................................................................................................................ 266 Editing Schedules ........ 288 Analyzing Network Traffic ............................................................................................ 264 Scheduling .... 264 Deleting Archives ................................................................................................................... 294 ix ........................................ 267 Setting System Preferences ................................................................ 268 Setting Time.......................................................... 271 Configuring Administration and Access Settings ....................... 284 Installing and Uploading Firmware...................................................................................................................................................... 276 Hardware ................................ 280 Administering Failover................................... 284 Configuring Modems .............................................................................................................................................................................................. 279 Prerequisites ..................................................................... 264 Scheduling Remote Archiving .............................................................................................................................................................................................................................................................................................. 277 Managing Hardware Failover. 292 Configuring the Parent Node .................................................................. 272 Configuring External Access .................................

......Contents Editing Child Node Settings ............................................. 299 Appendix A Authentication ......................................... 308 Viewing Reports.................. Exporting and Drill Down Reporting .................................................... 311 Changing the Report...... 299 Disabling Nodes ............................................................................................. 304 Connecting a Windows 7 System to a WPA-Enterprise/802................... 315 Grouping Sections ............................ 312 Creating Template Reports and Customizing Sections ...................................................................................................................1X Profile Migration............................................. 302 About the Login Time-out ......................................... 297 Accessing the Node Details Page ................ 314 Understanding Groups and Grouped Options ....................................................................................... 298 Working with Updates ................................ 315 Group Ordering ............ 303 Active Directory.......................................................... 308 Report Templates.............................................................................................. 306 Appendix B Understanding Templates and Reports..................................................... 302 Working with Large Directories............. 303 Active Directory Username Types.................................................................................. 316 Creating Feed-forward and Iterative Groups ................. 307 Programmable Drill-Down Looping Engine................ 309 Changing Report Date Ranges ..... 308 Example Report................................................................................................ 304 Kerberos Pre-requisites and Limitations...................................... 302 A Common DNS Pitfall......... 297 Managing Nodes in a Smoothwall System ... 305 Windows 7 802................... 314 Feed-Forward Reporting ..................................................... 316 Exporting Options .......................................... 304 About Kerberos ..................... 307 Example Report Template.............................................................................. 297 Monitoring Node Status ........................................ 310 Interpreted Results ............................................................................................... 310 Saving Reports ....................................................................................................1X Wireless Network ........................... 308 Changing Report Formats.................................................. 309 Navigating HTML Reports .......................... 302 Advanced Firewall and DNS....... 296 Deleting Nodes in the System............... 304 Troubleshooting ............................................... 301 Verifying User Identity Credentials.......................................................................... 313 Grouped Sections ............................................................................................................. 315 Iterative Reporting ............................................ 298 Rebooting Nodes ...................................................................... Creation and Editing .................................... 317 x ....................................................................................... 303 Accounts and NTLM Identification............................................................. 301 Other Authentication Mechanisms......... 301 About Authentication Mechanisms ....................................................................................................... 301 Overview .................................. 311 Investigating Further (Drill down) .................................................. 302 Choosing an Authentication Mechanism................................................................................................................................................................ 313 Ordering Sections ...........................................................................................................................

........ 337 Glossary Index ............................................... 324 Search Terms and Search Phrases ....................... 324 Guardian Status Filtering.....................................Smoothwall Advanced Firewall Administrator’s Guide Reporting Folders ..................................................................................................... 341 ....... 335 Basic Hosting Arrangement......................... 332 Appendix D Hosting Tutorials........................ 328 Appendix C Troubleshooting VPNs..................................................... 321 Reporting Sections .............................................................................................................................................................................................. 325 Filtering by Search Terms ..... 336 More Advanced Hosting Arrangement .......................................................................................................... 320 Portal Permissions............................... 320 Renaming Folders ............................... 320 Scheduling Reports ........................................... 321 Generators and Linkers .............................................................................................................................................................. 321 General Sections ............................... 323 HTTP Request Methods and HTTPS Interception ...................................... 332 Windows Networking Issues......................................................................................................................................................................................................................................... 326 URL Extraction and Manipulation................................................................... 326 Origin Filtering........................................................................................................................................................................................................... 331 L2TP Road Warrior Problems ... 322 Network Interfaces ....................... 320 Deleting Folders ............ 332 Enabling L2TP Debugging.......... 349 xi .... 322 The Anatomy of a URL......................................... 318 Creating a Folder ............................................................................ 331 Site-to-site Problems........................................ 335 Extended Hosting Arrangement ........................

Contents xii .

Overview of Advanced Firewall Advanced Firewall is the Unified Threat Management system for enterprise networks. mail relay and control. • Internal firewall – segregation of networks into physically separate zones with user-level access control of inter-zone traffic • Email Security: anti-spam. 1 .Chapter 1 Introduction In this chapter: • An overview of Advanced Firewall • Who should read this guide • User information. Secure wireless. knowledge base and the latest product manuals. contact your Smoothwall representative.net/support contains the Smoothwall support portal. secure remote access and secure wireless connections. Advanced Firewall employs Microsoft Active Directory/ LDAP user authentication for policy based access control to local network zones and Internet services. Novell eDirectory and other LDAP authentication servers • Load balancer – the ideal solution for the efficient and resilient use of multiple Internet connections. Advanced Firewall provides: • Perimeter firewall – multiple Internet connections with load sharing and automatic connection failover • User authentication – policy-based access control and user authentication with support for Microsoft Active Directory. anti-malware. secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. you can also find information at: • http://www. • VPN Gateway – site-to-site. Combining the functions of perimeter and internal firewalls. Other User Information Apart from this guide. For information on our current training courses. Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training.smoothwall. Who should read this guide? System administrators maintaining and deploying Advanced Firewall should read this guide.

Introduction Other User Information Annual Renewal To ensure that you have all the functionality documented in this guide. For more information. contact your Smoothwall representative. 2 . we recommend that you purchase annual renewal.

72. 2 Accept Advanced Firewall’s certificate. 3 Enter the following information: Field Information Username Enter admin This is the default Advanced Firewall administrator account.141:441 Note: The example address above uses HTTPS to ensure secure communication with your Advanced Firewall. Note: The following sections assume that you have registered and configured Advanced Firewall as described in the Advanced Firewall Installation and Setup Guide. It is possible to use HTTP on port 81 if you are satisfied with less security. for example: https://192.The login screen is displayed. Password Enter the password you specified for the admin account when installing Advanced Firewall.Chapter 2 Advanced Firewall Overview In this chapter: • How to access Advanced Firewall • An overview of the pages used to configure and manage Advanced Firewall. enter the address of your Advanced Firewall. 3 . Accessing Advanced Firewall To access Advanced Firewall: 1 In a web browser.168.

4 . It displays service information and customizable summary reports. The following sections give an overview of Advanced Firewall’s default sections and pages. Dashboard The dashboard is the default home page of your Advanced Firewall system.Advanced Firewall Overview Dashboard 4 Click Login. The Dashboard opens.

For more information. Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. see Chapter 12. Email Displays the email log viewer running in realtime mode. Realtime Pages Description System A realtime view of the system log with some filtering options. Scheduled Sets which reports are automatically generated and delivered. Portal A realtime view of activity on user portals.Smoothwall Advanced Firewall Administrator’s Guide Logs and reports The Logs and reports section contains the following sub-sections and pages: Reports Pages Description Summary Displays a number of generated reports. For more information. see Chapter 12. For more information. For more information. see Chapter 12. IM proxy A realtime view of recent instant messaging conversations. Realtime Firewall Information on page 234. Understanding Templates and Reports on page 307. Alerts Pages Description Alerts Determine which alerts are sent to which groups of users and in what format. Generating Reports on page 220. Recent and Lists recently-generated and previously saved reports. For more information. For more information. For more information. Email Logs on page 245. Saving Reports on page 220. Firewall A realtime view of the firewall log with some filtering options. For more information. About the Summary Page on page 219. Realtime Instant Messaging on page 237. Realtime Portal Information on page 236. see Chapter 12. see Chapter 12. For more information. see Chapter 12. IPSec A realtime view of the IPSec log with some filtering options. see Chapter 11. see saved Chapter 11. For more information. Custom Enables you to create and view custom reports. Alerts on page 227. Reports Where you generate and organize reports. Scheduling Reports on page 223. Traffic graphs Displays a realtime bar graph of the bandwidth being used. For more information. Realtime Traffic Graphs on page 237. For more information. Configuring Alert Settings on page 230. For more information. Realtime System Information on page 233. see Chapter 12. see Chapter 11. see Chapter 12. For more information. see Chapter 12. Realtime IPsec Information on page 235. see Chapter 11. see Appendix B. 5 .

IPSec Displays diagnostic information for VPN tunnels. IPS Displays network traffic detected by the intrusion detection system (IPS). IM proxy Displays information on instant messaging conversations. Reverse Proxy Logs on page 249. Email Logs on page 245. For more information. Log settings Settings to configure the logs you want to keep. see Chapter 12. see Chapter 12. see Chapter 12. see Chapter 12. For more information. IPS Logs on page 247. an external syslog server.Advanced Firewall Overview Logs and reports Logs Pages Description System Simple logging information for the internal system services. IM Proxy Logs on page 248. see Chapter 12. . see Chapter 12. Web Proxy Logs on page 249. For more information. System Logs on page 239. Configuring Log Settings on page 251. For more information. Email Displays sender. recipient. For more information. Groups Where you create groups of users which can be configured to receive automated alerts and reports. see Chapter 12. see Chapter 12. Settings 6 Pages Description Datastore settings Contains settings to manage the storing of log files. IPSec Logs on page 243. Firewall Logs on page 241. For more information. For more information. see Chapter 11. IDS Displays network traffic detected by the intrusion detection system (IDS). see Chapter 12. Web proxy Displays detailed analysis of web proxy usage. For more information. subject and other email message information. Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information. see Chapter 12. see Chapter 12. Reverse proxy Displays information on reverse proxy usage. For more information. automated log deletion and rotation options. Configuring Groups on page 254. For more information. For more information. Managing Log Retention on page 224. IDS Logs on page 246. Firewall Displays all data packets that have been dropped or rejected by the firewall. see Chapter 12. Configuring Output Settings on page 255. For more information.

see Chapter 3. see Chapter 6. Sources on page 42. For more information. RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. see Chapter 4. Using RIP on page 40. Routing Pages Description Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. see Chapter 4. see Chapter 4. For more information. Creating an External Alias Rule on page 45. see Chapter 6. For more information. External aliases Used to create IP address aliases on static Ethernet external interfaces.Smoothwall Advanced Firewall Administrator’s Guide Networking The Networking section contains the following sub-sections and pages: Filtering Pages Description Zone bridging Used to define permissible communication between pairs of network zones. Connecting Using a Static Ethernet Connectivity Profile on page 20. thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the need for physical switches. Group Bridging on page 63. see Chapter 4. For more information. For more information. Creating IP Blocking Rules on page 51. IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. Creating Subnets on page 39. Ports on page 43. Configuring Global Settings for Interfaces on page 19. For more information. Managing Internal Aliases on page 47. see Chapter 5. see Chapter 4. Group bridging Used to define the network zones that are accessible to authenticated groups of users. Ports Used to create rules to set the external interface based on the destination port. 7 . see Chapter 3. Connectivity Used to create external connection profiles and implement them. see Chapter 4. Sources Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Interfaces Pages Description Interfaces Configure and display information on your Advanced Firewall’s internal interfaces. For more information. Internal aliases Used to create aliases on internal network interfaces. For more information. For more information. For more information. For more information. About Zone Bridging Rules on page 59.

see Chapter 3. see Chapter 7. Working with Port Groups on page 55. Creating a Source Mapping Rule on page 46 Advanced Used to enable or disable NAT-ing helper modules and manage bad external traffic. see Chapter 5. . For more information. Managing Outbound Traffic and Services on page 72. For more information. Creating a PPP Profile on page 31. Outgoing Pages Description Policies Used to assign outbound access controls to IP addresses and networks. see Chapter 7. For more information. For more information. For more information. see Chapter 7. secondary external interface. see Chapter 5. Settings Pages Description Port groups Create and edit groups of ports for use throughout Advanced Firewall. see Chapter 7. For more information. For more information. Network Application Helpers on page 70. For more information. see Chapter 4. External services Used to define a list of external services that should always be accessible to internal network hosts. For more information.Advanced Firewall Overview Networking Pages Description PPP Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. Ports Used to define lists of outbound destination ports and services that should be blocked or allowed. Source mapping Used to map specific internal hosts or subnets to an external alias. Introduction to Port Forwards – Inbound Security on page 67. Secondaries Used to configure an additional. Managing External Services on page 78. Working with Outbound Access Policies on page 76. Configuring Advanced Networking Features on page 52. For more information. see Chapter 7. see Chapter 4. Advanced 8 Used to configure advanced network and traffic auditing parameters. Working with Secondary External Interfaces on page 48 Firewall Pages Description Port forwarding Used to forward incoming connection requests to internal network hosts.

9 .Smoothwall Advanced Firewall Administrator’s Guide Services The Services section contains the following sub-sections and pages: Authentication Pages Description Settings Used to set global login time settings. For more information. Managing Groups of Users on page 216. allowing controlled access to the Internet for local network hosts. Managing the Web Proxy Service on page 87. Managing User Activity on page 208. Instant Messenger Proxying on page 93. SSL login Used to customize the end-user SSL login page and configure SSL login redirection and exceptions. Proxies Pages Description Web proxy Used to configure and enable the web proxy service. see Chapter 10. For more information. Instant Used to configure and enable instant messaging proxying. Making User Exceptions on page 85. Temporary bans Enables you to manage temporarily banned user accounts. For more information. For more information. User exceptions This page enables you to override group settings and assign a user directly to a portal. see Chapter 10. About SSL Authentication on page 209. see Chapter 10. Kerberos keytabs This is where Kerberos keytabs are imported and managed. WPA Enterprise Enables you to authenticate users with their own devices and allow them to connect to the network. see Chapter 8. see Chapter 8. For more information. For more information. Assigning Groups to Portals on page 85. For more information. For more information. Using WPA Enterprise on page 213. see Chapter 8. Working with Portals on page 81. User Portal Pages Description Portals This page enables you to configure and manage user portals. Managing Kerberos Keytabs on page 212. see messenger Chapter 8. see Chapter 10. For more information. see Chapter 8. Groups This page enables you to assign groups of users to portals. see Chapter 10. For more information. usernames. Managing Temporarily Banned Users on page 206 User activity Displays the login times. group membership and IP address details of recently authenticated users. About Directory Servers on page 194. Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. Configuring Global Authentication Settings on page 193. For more information. For more information. For more information. see Chapter 10. see Chapter 10. Groups Used to customize group names. see Chapter 10.

Reverse Proxy Service on page 102. see Chapter 8. Reverse proxy The reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. . For more information. For more information. For more information. FTP Proxying on page 99. FTP Used to configure and enable a proxy to manage FTP traffic. SIP Proxying on page 96. see Chapter 8.Advanced Firewall Overview Services 10 Pages Description SIP Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. see Chapter 8.

For more information. Filters This is where you create and manage filters for matching particular types of message content.Smoothwall Advanced Firewall Administrator’s Guide SNMP Pages Description SNMP Used to activate Advanced Firewall’s Simple Network Management Protocol (SNMP) agent. For more information. SNMP on page 104. For more information. see Chapter 8. see Chapter 8. see Chapter 8. For more information. see Chapter 8. see Chapter 8. Policies Enables you to configure Advanced Firewall’s intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information. For more information. Setting Time Periods on page 110. Managing Dynamic DNS on page 107. For more information. see Chapter 8. see Chapter 8. Creating Custom Policies on page 117. Adding Static DNS Hosts on page 105. Creating Filters on page 111. Custom categories Enables you to create and manage custom content categories for inclusion in filters. DNS proxy Used to provide a DNS proxy service for local network hosts. Uploading Custom Signatures on page 118. Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. Deploying Intrusion Detection Policies on page 114. Managing Custom Categories on page 109. For more information. Creating and Applying Message Censor Policies on page 113. For more information. Deploying Intrusion Prevention Policies on page 115. see Chapter 8. see Chapter 8. Message Censor Pages Description Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information. see Chapter 8. DNS Pages Description Static DNS Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. see Chapter 8. IDS Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). For more information. IPS Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). see Chapter 8. For more information. Intrusion System Pages Description Signatures Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. 11 . Enabling the DNS Proxy Service on page 106 Dynamic DNS Used to configure access to third-party dynamic DNS service providers.

DHCP server Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP server. Enabling DHCP on page 120.Advanced Firewall Overview Services DHCP Pages Description Global Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. and re-route DHCP responses back to the requesting host. For more information. For more information. Custom options 12 Used to create and edit custom DHCP options. see Chapter 8. DHCP leases Used to view all current DHCP leases. see Chapter 8. MAC address. see Chapter 8. Viewing DHCP Leases on page 124. see Chapter 8. and the current lease state. Creating Custom DHCP Options on page 125. For more information. For more information. For more information. lease start and end time. DHCP Relaying on page 125. Creating a DHCP Subnet on page 120. see Chapter 8. hostname. including IP address. .

Setting up a Centrally Managed Smoothwall System on page 292. For more information. see Chapter 13. Archives on page 262. Licenses on page 262. Configuring the Hostname on page 271. view. see Chapter 13. Configuring Child Nodes on page 293. For more information. 13 . see Chapter 13. see Chapter 13.Smoothwall Advanced Firewall Administrator’s Guide System The System section contains the following sub-sections and pages: Maintenance Pages Description Updates Used to display and install available product updates. For more information. For more information. enables you configure sending extended registration information to Smoothwall. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. Archives Used to create and restore archives of system configuration information. see Chapter 13. Configuring the User Interface on page 268. see Chapter 14. install and remove Advanced Firewall modules. Configuring Registration Options on page 270. in addition to listing currently installed updates. For more information. Installing Updates on page 259. Scheduler Used to automatically discover new system updates. Time Used to manage Advanced Firewall’s time zone. For more information. see Chapter 13. see Chapter 13. Modules Used to upload. modules and licenses. see Chapter 13. Child nodes This is where you add and configure nodes in a Smoothwall system. For more information. Local node This is where you configure a node to be a parent or child in a Smoothwall system settings and manage central management keys for use in the system. Scheduling on page 264. For more information. Managing Nodes in a Smoothwall System on page 297. date and time settings. see Chapter 14. Registration options Used to configure a web proxy if your ISP requires you use one. For more information. see Chapter 14. Setting Time on page 269. For more information. see Chapter 13. see Chapter 13. Shutting down and Rebooting on page 267. Managing Modules on page 261. Shutdown Used to shutdown or reboot the system. Licenses Used to display and update license information for the licensable components of the system. Also. For more information. Central Management Pages Description Overview This is where you monitor nodes and schedule updates in a Smoothwall system. Preferences Pages Description User interface Used to manage Advanced Firewall’s dashboard settings. Hostname Used to configure Advanced Firewall’s hostname. For more information. check. For more information.

IP tools Contains the ping and trace route IP tools. Whois Used to find and display ownership information for a specified IP address or domain name. For more information. Managing UPS Devices on page 277. External access Used to create rules that determine which interfaces. For more information. see Chapter 13. typically used when creating external dial-up connections. Administrative User Settings on page 274. and to enable referral checking. Installing and Uploading Firmware on page 286. see Chapter 13. For more information. Diagnostics Pages Description Configuration Used to ensure that your current Advanced Firewall settings are not likely to cause tests problems. see Chapter 13. networks and hosts can be used to administer Advanced Firewall. see Chapter 13. see Chapter 13. Whois on page 288. Failover Used to specify what Advanced Firewall should do in the event of a hardware failure. Traffic analysis Used to generate and display detailed information on current traffic. For more information. For more information. For more information. For more information. see Chapter 13. see Chapter 13. For more information.Advanced Firewall Overview System Administration Pages Description Admin options Used to enable secure access to Advanced Firewall using SSH. Configuring Modems on page 284. Modem Used to create up to five different modem profiles. see Chapter 13. For more information. For more information. For more information. Configuring Admin Access Options on page 272. Managing CA Certificates on page 290. Diagnostics on page 286. see Chapter 13. IP Tools on page 288. . Managing Hardware Failover on page 279. Firmware upload Used to upload firmware used by USB modems. Administrative users Used to manage user accounts and set or edit user passwords on the system. Certificates 14 Page Description Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. services. see Chapter 13. For more information. Hardware Pages Description UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. see Chapter 13. Configuring External Access on page 273. see Chapter 13. Generating Diagnostics on page 287. Diagnostics Used to create diagnostic files for support purposes. see Chapter 13. For more information. Analyzing Network Traffic on page 289.

For example: 192. It is also possible to import and export CA certificates on this page.1-192. For more information. For more information.10. IPSec Road Warriors on page 151.10. The following format is used: 192. Managing VPN Systems on page 175. For more information.168.1-192. see Chapter 9. For more information. from low to high.12. see Chapter 9. view and delete host certificates.10.168. L2TP roadwarriors Used to create and manage L2TP road warrior VPN tunnels. For more information. SSL roadwarriors Enables you to configure and upload custom SSL VPN client scripts. see Chapter 9. Working with Certificate Authorities and Certificates on page 131. export. see Chapter 9. see Chapter 9. For more information. Setting the Default Local Certificate on page 137.168. see Chapter 9.Smoothwall Advanced Firewall Administrator’s Guide VPN The VPN section contains the following pages: Pages Description Control Used to show the current status of the VPN system and enable you to stop and restart the service.1 IP Address Range An IP address range defines a sequential range of network hosts.10. Hosts and Ports IP Address An IP address defines the network location of a single network host. Specifying Networks. Creating L2TP Road Warrior Connections on page 154. This page also provides controls to import. see Chapter 9. Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. Managing Certificates on page 134. Site-to-Site VPNs – IPSec on page 138.255 15 . IP address ranges can span subnets. For more information. Certificate authorities Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup.20 192. Global Used to configure global settings for the VPN system. IPSec subnets Used to configure IPSec subnet VPN tunnels.168.168. IPSec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information. Managing Custom Client Scripts for SSL VPNs on page 164. see Chapter 9. Certificates Used to create host certificates if a local CA has been created.

Comments are entered in the Comment fields and displayed alongside saved configuration information. Creating a Rule To create a rule: 1 Enter configuration details in the Add a new rule area. The format combines an arbitrary IP address and a network mask.Advanced Firewall Overview Configuration Guidelines Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. in order to describe a sequential range of communication ports from low to high.10.255. Examples: 255. a number of well known services and ports are provided in Service drop-down lists. choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field.248. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. To use a custom port number. 2 Click Add to create the rule and add it to the appropriate Current rules area. Editing a Rule To edit a rule: 1 16 Find the rule in the Current rules area and select its adjacent Mark option. Editing and Removing Rules Much of Advanced Firewall is configured by creating rules – for example. For ease of use. Examples: 21 7070 Port Range A 'Port range' can be entered into most User defined port fields.10.255.0.0 192.255. . Creating.168.0 255. IP block rules and administration access rules.0/24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. and can be entered in two ways: 192. Some pages allow a network mask to be entered separately for ease of use.0/255.255.168.255.0 Service and Ports A Service or Port identifies a particular communication port in numeric format.255.0 255. The following format is used: 137:139 Using Comments Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment.

such as PuTTY. the Add a new rule and Current rules area will be Add a new host and Current users etc. Connecting Using a Client When SSH access is enabled. Connecting via the Console You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol. 2 Start PuTTY or an equivalent client. 17 . See Chapter 13. Configuring Admin Access Options on page 272 for more information. you can connect to Advanced Firewall via a secure shell application.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values. On such pages. Note: By default. 3 Change the configuration values as necessary. Removing a Rule To remove one or more rules: 1 Select the rule(s) to be removed in the Current rules area. 2 Click Remove to remove the selected rule(s). 3 Enter the following information: Field Description Host Name (or IP address) Enter Advanced Firewall’s host name or IP address. Advanced Firewall only allows SSH access if it has been specifically configured. 4 Click Add to re-create the edited rule and add it to the Current rules area. Note: The same processes for creating. See Chapter 13. editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. Configuring Admin Access Options on page 272 for more information. To connect using an SSH client: 1 Check SSH access is enabled on Advanced Firewall.

You are given access to the Advanced Firewall command line. Advanced Firewall’s certificate is a self-signed certificate. 18 . browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. If you try to access the site using its IP address. your web browser needs to be told to trust certificates generated by Advanced Firewall. the hostname is used. then this warning will always be generated. Neither of the above issues compromise the security of HTTPS access. Click Open. A certificate can only contain a single site name. and in Advanced Firewall’s case. They simply serve to illustrate that HTTPS is also about identity as well encryption. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. To remove this warning.Advanced Firewall Overview Secure Communication 4 Field Description Port Enter 222 Protocol Select SSH. the names will not match. and the password associated with it. However. ‘ Secure Communication When you connect your web browser to Advanced Firewall’s web-based interface on a HTTPS port for the first time. See your browser’s documentation for information on how to import the certificate. access Advanced Firewall using the hostname. secure web sites on the Internet have a security certificate which is signed by a trusted third party. When prompted. enter root. Inconsistent Site Address Your browser will generate a warning if Advanced Firewall’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. The details of how this are done vary between browsers and operating systems. Usually. your browser will display a warning that Advanced Firewall’s certificate is invalid. If this is not possible. To remove this warning. for example. Note: The data traveling between your browser and Advanced Firewall is secure and encrypted. and you are accessing the site by some other name. Unknown Entity Warning This issue is one of identity. To do this. In most cases. import the certificate into your web browser.

19 .Chapter 3 Working with Interfaces In this chapter: • Configuring global settings for interfaces • Creating an Internet connectivity profile • Working with bridges • Working with bonded interfaces • Managing Advanced Firewall’s network interfaces • Changing the IP address. Configuring Global Settings for Interfaces Global settings determine Advanced Firewall’s default gateway and primary and secondary DNS addresses. To configure global settings: 1 Browse to the Networking > Interfaces > Interfaces page.

Connecting Using an Internet Connectivity Profile Advanced Firewall supports the following Internet connection methods: Connection Method Description Ethernet An Ethernet NIC routed to an Internet connection. When using a connectivity profile to connect to the Internet. if more than one default gateway has been configured. controlled by Advanced Firewall. and you do not select this option. each stored in its own connectivity profile. To connect using a static ethernet connectivity profile: 1 On the Networking > Interfaces > Interfaces page. Primary DNS If Advanced Firewall is to be integrated as part of an existing DNS infrastructure. not controlled by Advanced Firewall. Secondary DNS Enter the IP address of the secondary DNS server. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. Connecting Using a Static Ethernet Connectivity Profile The following section explains how to connect to the Internet using a static ethernet connectivity profile. select the Use external connectivity profile option. if one is available. enter the appropriate DNS server information within the existing infrastructure. Up to five different connections to the Internet can be defined. However. controlled by Advanced Firewall. Modem An internal or external modem connected to the Internet via an ISP. see Connecting Using an Internet Connectivity Profile on page 20. A modem profile is used solely for connections using dial-up modems. Advanced Firewall and DNS on page 302. Ethernet/modem hybrid An Ethernet NIC routed to an external modem connected to the Internet via an ISP. 20 . A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices. you may lose connectivity to Advanced Firewall if your network is not set up correctly. The following sections explain how to connect using different connection methods. For more information. For more information. Note: Advanced Firewall’s default gateway should only be configured on one interface. A static Ethernet connection enables Advanced Firewall to use a static IP address as assigned by your ISP. Each profile defines the type of connection that should be used and appropriate settings. see Appendix A.Working with Interfaces Connecting Using an Internet Connectivity Profile The following settings global interface settings are available: Setting Description Default gateway This setting determines Advanced Firewall’s default gateway.

Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Profile name Enter a name for the connection profile. all traffic will be sent out of the primary external connection. enter the maximum transmission unit (MTU) value required in your environment. Load balancing is performed according to the respective weights of each connection. Note: If no load balance settings are enabled. all traffic will be sent out of the primary external connection. MTU Optionally. On the Networking > Interfaces > Connectivity page. If you wish boot to disable this behavior. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. 21 .Smoothwall Advanced Firewall Administrator’s Guide 2 Point to the network interface card (NIC) you want to use and select Edit. enter a secondary IP address known to be contactable if the external connection is operating correctly. Auto connect on By default. if another profile has been chosen in the Automatic failover to profile drop-down menu. If your ISP provides a custom MTU value. Use as Select External. the connection will failover. If the primary and secondary IP addresses cannot be contacted. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. If the primary and secondary IP addresses cannot be contacted. Method Select Static Ethernet. There is also a reboot option which you can use to restart the system if all of the connections fail. deselect this option. Note: If no load balance settings are enabled. if another profile has been chosen in the Automatic failover to profile drop-down menu. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. the connection will failover. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. 3 In the Edit interface dialog box. all connections will automatically connect at boot time. Note: Using this option. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Automatic Optionally. enter it here. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Secondary failover ping IP Optionally. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name.

deselect this option. 2 Point to the network interface card (NIC) you want to use and select Edit. enter it here. 6 Address Enter the static IP address provided by your ISP. Note: Advanced Firewall’s default gateway should only be configured on one interface. If your ISP provides a custom MTU value. if more than one default gateway has been configured. On the Networking > Interfaces > Connectivity page. Profile name Enter a name for the connection profile. all connections will automatically connect at boot time. Use as Select External.Working with Interfaces Connecting Using an Internet Connectivity Profile 5 Click Update. . MTU Optionally. In the Static Ethernet settings area. Method Select DHCP Ethernet. Connecting using a DHCP Ethernet Connectivity Profile The following section explains how to connect to the Internet using a DHCP Ethernet connectivity profile. configure the following settings: Setting Description Interface From the drop-down list. Auto connect on By default. enter the maximum transmission unit (MTU) value required in your environment. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. Netmask Enter the subnet mask as provided by your ISP. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. and you do not select this option. To connect using a DHCP Ethernet connectivity profile: 1 On the Networking > Interfaces > Interfaces page. Secondary DNS Enter the secondary DNS server details as provided by your ISP. as assigned by the ISP. Default gateway Enter the default gateway IP address as provided by your ISP. select the Ethernet interface for this connection. Custom MTU 22 Some ISPs supply additional settings that can be used to improve connection performance. If you wish boot to disable this behavior. Click Save and connect to save the profile and connect to the Internet immediately. However. Primary DNS Enter the primary DNS server details as provided by your ISP. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP address. 3 In the Edit interface dialog box. you may lose connectivity to Advanced Firewall if your network is not set up correctly.

Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Weighting 5 6 Select from the drop-down list to assign an external connection in the load balancing pool. MAC spoof Enter a spoof MAC value required. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. 23 . Load balancing is performed according to the respective weights of each connection. If the primary and secondary IP addresses cannot be contacted. Note: Using this option. all traffic will be sent out of the primary external connection. Note: If no load balance settings are enabled. select the Ethernet interface for this connection. If the primary and secondary IP addresses cannot be contacted. enter a secondary IP address known to be contactable if the external connection is operating correctly. DHCP Hostname Optionally enter a DHCP hostname. Note: If no load balance settings are enabled. There is also a reboot option which you can use to restart the system if all of the connections fail. the connection will failover. the connection will failover. if provided by your ISP. if another profile has been chosen in the Automatic failover to profile drop-down menu. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Automatic Optionally. Connecting using a PPP over Ethernet Connectivity Profile The following section explains how to connect to the Internet using a PPP over Ethernet connectivity profile. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Secondary failover ping IP Optionally. Click Save and connect to save the profile and connect to the Internet immediately. Click Update and in the DHCP Ethernet settings area. if another profile has been chosen in the Automatic failover to profile drop-down menu. all traffic will be sent out of the primary external connection. configure the following settings: Setting Description Interface From the drop-down list.

Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. all connections will automatically connect at boot time. If the primary and secondary IP addresses cannot be contacted. If the primary and secondary IP addresses cannot be contacted. enter it here. Method Select PPP over Ethernet. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. 3 In the Edit interface dialog box. Automatic Optionally. enter the maximum transmission unit (MTU) value required in your environment. MTU Optionally. you may lose connectivity to Advanced Firewall if your network is not set up correctly. Note: Using this option. There is also a reboot option which you can use to restart the system if all of the connections fail. if more than one default gateway has been configured. the connection will failover. On the Networking > Interfaces > Connectivity page. If your ISP provides a custom MTU value. Auto connect on By default. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. Note: Advanced Firewall’s default gateway should only be configured on one interface. and you do not select this option. However. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. enter a secondary IP address known to be contactable if the external connection is operating correctly. 2 Point to the network interface card (NIC) you want to use and select Edit. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Use as Select External. deselect this option. Secondary failover ping IP Optionally. 24 . if another profile has been chosen in the Automatic failover to profile drop-down menu. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. if another profile has been chosen in the Automatic failover to profile drop-down menu. the connection will failover.Working with Interfaces Connecting Using an Internet Connectivity Profile To connect using a PPP over Ethernet connection: 1 On the Networking > Interfaces > Interfaces page. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Profile name Enter a name for the connection profile. If you wish boot to disable this behavior.

Weighting 5 Select from the drop-down list to assign an external connection in the load balancing pool. 25 . you may lose connectivity to Advanced Firewall if your network is not set up correctly. However. select the Ethernet interface for this connection.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. select the PPP profile for this connection. if more than one default gateway has been configured. Note: If no load balance settings are enabled. 6 Interface From the drop-down list. click Configure PPP to go to the Networking > Interfaces > PPP page and create one. all traffic will be sent out of the primary external connection. Click Save and connect to save the profile and connect to the Internet immediately. Or. 2 Point to the network interface card (NIC) you want to use and select Edit. configure the following settings: Setting Description Service name If required. Click Update. if no PPP profile has been created. configure the following settings: Setting Description Name Accept the default name or enter a custom name. enter the maximum transmission unit (MTU) value required in your environment. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. enter the concentrator name as specified by your ISP. all traffic will be sent out of the primary external connection. Concentrator If required. To connect using a PPTP over Ethernet connection: 1 On the Networking > Interfaces > Interfaces page. 3 In the Edit interface dialog box. Use as Select External. enter the service name as specified by your ISP. In the PPP over Ethernet settings area. Connecting using a PPTP over Ethernet Connectivity Profile This section explains how to configure Advanced Firewall to use a PPTP modem for Internet connectivity. MTU Optionally. and you do not select this option. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. Load balancing is performed according to the respective weights of each connection. PPP Profile From the drop-down list. Note: If no load balance settings are enabled. Note: Advanced Firewall’s default gateway should only be configured on one interface.

If the primary and secondary IP addresses cannot be contacted. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Click Update. If your ISP provides a custom MTU value. Or. Automatic Optionally. if no PPP profile has been created. if another profile has been chosen in the Automatic failover to profile drop-down menu. enter it here. enter a secondary IP address known to be contactable if the external connection is operating correctly. Weighting 5 Select from the drop-down list to assign an external connection in the load balancing pool. Method Select PPPTP over Ethernet. click Configure PPP to go to Networking > Interfaces > Interfaces and create one.Working with Interfaces Connecting Using an Internet Connectivity Profile 4 On the Networking > Interfaces > Connectivity page. 26 . Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: If no load balance settings are enabled. Load balancing is performed according to the respective weights of each connection. Auto connect on By default. the connection will failover. deselect this option. For more information. configure the following settings: Setting Description Interface From the drop-down list. There is also a reboot option which you can use to restart the system if all of the connections fail. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. PPP Profile From the drop-down list. If you wish boot to disable this behavior. the connection will failover. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. all connections will automatically connect at boot time. Profile name Enter a name for the connection profile. If the primary and secondary IP addresses cannot be contacted. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. select the PPP profile for this connection. see Creating a PPP Profile on page 31. Secondary failover ping IP Optionally. if another profile has been chosen in the Automatic failover to profile drop-down menu. In the PPTP over Ethernet settings area. all traffic will be sent out of the primary external connection. Note: If no load balance settings are enabled. all traffic will be sent out of the primary external connection. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. Note: Using this option. select the Ethernet interface for this connection.

Click Save and connect to save the profile and connect to the Internet immediately. Method Select ADSL modem. see Connecting using a PPP over Ethernet Connectivity Profile on page 23 for more information. Note: To connect using an ADSL modem. if another profile has been chosen in the Automatic failover to profile drop-down menu. If your ADSL connection uses a PPPoE connection. Secondary failover ping IP Optionally. enter it here. the ADSL device must have been either configured during the initial installation and setup or post-installation by launching the setup program from the system console. Automatic Optionally. deselect this option. enter a secondary IP address known to be contactable if the external connection is operating correctly. the connection will failover. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. Auto connect on By default. If you wish boot to disable this behavior. To connect using an ADSL/DSL modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. There is also a reboot option which you can use to restart the system if all of the connections fail. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If your ISP provides a custom MTU value. Gateway Enter the gateway assigned by your ISP Telephone Enter the dial telephone number as provided by your ISP. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. If the primary and secondary IP addresses cannot be contacted. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. see the Advanced Firewall Installation and Setup Guide.Smoothwall Advanced Firewall Administrator’s Guide 6 Setting Description Address Enter the IP address assigned by your ISP. If the primary and secondary IP addresses cannot be contacted. Profile name Enter a name for the connection profile. Connecting using an ADSL/DSL Modem Connectivity Profile Advanced Firewall can connect to the Internet using an ADSL modem. all connections will automatically connect at boot time. Netmask Enter the netmask assigned by your ISP. 27 . For further information. if another profile has been chosen in the Automatic failover to profile drop-down menu. Note: Using this option. the connection will failover.

Or. If your ISP provides a custom MTU value. If you wish boot to disable this behavior. Load balancing is performed according to the respective weights of each connection. if no PPP profile has been created. ISDN devices can be configured post-installation by launching the setup program from the system console. This section explains how to configure Advanced Firewall to connect to the Internet using an ISDN modem for Internet connectivity. see Creating a PPP Profile on page 31. all connections will automatically connect at boot time. click Configure PPP to go to Networking > Interfaces > PPP page and create one. In the ADSL modem settings area. . PPP Profile From the drop-down list. configure the following settings: Setting Description Service name Leave this field blank. an ISDN device must have been configured during the initial installation and setup of Advanced Firewall. Note: To connect using an ISDN modem. Connecting using an ISDN Modem Connectivity Profile Note: The following sections apply if an ISDN modem is installed in your Advanced Firewall. Concentrator Leave this field blank. all traffic will be sent out of the primary external connection. Custom MTU 28 Some ISPs supply additional settings that can be used to improve connection performance. see the Advanced Firewall Installation and Setup Guide. Auto connect on By default. Click Update. Alternatively. deselect this option. For further information. 3 Click Save and connect to save the profile and connect to the Internet immediately. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. For more information. Note: If no load balance settings are enabled. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. enter it here. It is not required for this type of profile. It is not required for this type of profile. To connect using an ISDN modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. Profile name Enter a name for the connection profile. all traffic will be sent out of the primary external connection. Method Select ISDN TA. Note: If no load balance settings are enabled.Working with Interfaces Connecting Using an Internet Connectivity Profile Setting Description Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. select the PPP profile for this connection.

select either Single channel or Dual channel. Note: If no load balance settings are enabled. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Forcing the second channel to stay up will help prevent this from happening. If the primary and secondary IP addresses cannot be contacted. If the primary and secondary IP addresses cannot be contacted. Keep second channel up Select to force the second channel to remain open when its data rate falls below a worthwhile threshold. Note: If no load balance settings are enabled. Note: Using this option. depending on whether you are using one or two ISDN lines. see Creating a PPP Profile on page 31. if another profile has been chosen in the Automatic failover to profile drop-down menu. For more information. all traffic will be sent out of the primary external connection. enter a secondary IP address known to be contactable if the external connection is operating correctly. Telephone Enter the telephone number for the ISDN connection. If this occurs in dual channel mode. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. if another profile has been chosen in the Automatic failover to profile drop-down menu. the connection will failover. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. select the PPP profile for this connection. Click Update. Secondary failover ping IP Optionally. click Configure PPP to go to the Networking > Interfaces > Interfaces page and create one. 29 . Advanced Firewall will automatically close it. There is also a reboot option which you can use to restart the system if all of the connections fail. Note: ISDN connections sometimes suffer from changeable data throughput rates. Channels From the drop-down list. In the ISDN settings area.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Automatic Optionally. and the data-rate of the second channel decreases below a threshold where it is of no benefit. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. the connection will failover. if no PPP profile has been created. all traffic will be sent out of the primary external connection. configure the following settings: Setting Description PPP Profile From the drop-down list. Load balancing is performed according to the respective weights of each connection. Or.

all traffic will be sent out of the primary external connection. if your ISDN connection experiences intermittent loss of data throughput for short periods of time. Note: If no load balance settings are enabled. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Automatic Optionally. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. Note: Using this option.Working with Interfaces Connecting Using an Internet Connectivity Profile 3 Setting Description Minimum time to keep second channel up (sec) Enter a minimum time. If you wish boot to disable this behavior. in seconds. Profile name Enter a name for the connection profile. if another profile has been chosen in the Automatic failover to profile drop-down menu. This option is of use when the second channel data-rate falls below the threshold for short periods of time. if another profile has been chosen in the Automatic failover to profile drop-down menu. the connection will failover. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. If the primary and secondary IP addresses cannot be contacted. all connections will automatically connect at boot time. To connect using a dial-up modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. If the primary and secondary IP addresses cannot be contacted. Click Save to save the profile or Save and connect to save the profile and use it to connect to the Internet immediately. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. enter a secondary IP address known to be contactable if the external connection is operating correctly. Method Select Modem. deselect this option. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. If your ISP provides a custom MTU value. enter it here. 30 . Secondary failover ping IP Optionally. the connection will failover. Auto connect on By default. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Connecting Using a Dial-up Modem Connectivity Profile This section explains how to connect to the Internet using a dial-up modem for Internet connectivity. There is also a reboot option which you can use to restart the system if all of the connections fail.

including ISDN. password and connection-specific details for connections where Advanced Firewall controls the connecting device. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account. if no PPP profile has been created. Creating a PPP Profile Up to five PPP profiles can be created to store username. Telephone Enter the telephone number for the connection. all traffic will be sent out of the primary external connection. See Configuring Modems on page 284 for more information on modem profiles. Click Save and connect to save the profile and use it to connect to the Internet immediately. For more information. 31 . attached to Advanced Firewall. A PPP profile contains the username. click Configure PPP to go to Networking > Interfaces > Interfaces and create one. password and other settings used for dial-up type connections. In the Modem settings area.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. Or. select the modem profile to use. select the PPP profile for this connection. see Creating a PPP Profile on page 31. 3 Modem profile From the drop-down list. and Ethernet/modem hybrid devices. configure the following settings: Setting Description PPP Profile From the drop-down list. Note: If no load balance settings are enabled. Click Update.

Primary DNS 32 If Manual has been selected. Persistent connection Select to ensure that once this PPP connection has been established. if your ISP informs you to do so. Idle timeout Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Ensure that the relevant script type has been selected in the Method drop-down list. Dial on Demand Select to ensure that the PPP connection is only established if an outwardbound request is made. Username Enter your ISP assigned username. Method Choose the authentication method as specified by your ISP in this field. Password Enter your ISP assigned password. This may help reduce costs if your ISP uses per unit time billing. Maximum retries Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. . Type Specifies the DNS type used by your ISP.Working with Interfaces Creating a PPP Profile To create a PPP profile: 1 Navigate to the Networking > Interfaces > PPP page. Automatic – select if your ISP automatically allocates DNS settings upon connection. enter the primary DNS server IP address. Dial on Demand Select to ensure that the system dials for DNS requests – this is normally the for DNS desired behavior. Profile name Enter a name for the profile. Enter 0 to disable this setting. it will remain connected. Script name Enter the name of a logon script here. select Empty. 2 Configure the following settings: Setting Description Profiles From the drop-down list. regardless of the value entered in the Idle timeout field. Manual – select if your ISP has provided you with DNS server addresses to enter.

Deleting Profiles To delete a profile: 1 On the Networking > Interfaces > Connectivity page. 3 Click Save to save your settings and create a PPP profile. Ports From the ports listed as available. 2 Make the changes. Note: Deleting a profile used as part of a current connection will cause the current connection to close. Advanced Firewall modifies the profile. Basic interface – Select to use the bridge as an interface with one or more IP addresses on it. configure the following settings: Setting Description Name Enter a name for the bridge. from the Profiles drop-down list.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Secondary DNS If Manual has been selected. Use as Select one of the following: External – Select to use the bridge as an external interface. enter the secondary DNS server IP address. 2 Click Delete. from the Profiles drop-down list. Type Select Bridge. Working with Bridges It is possible to deploy Advanced Firewall in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. select the profile you wish to modify and click Select. 3 Click Save. See Connecting Using an Internet Connectivity Profile on page 20 for information on the settings. 33 . Note: Any changes made to a profile used in a current connection will only be applied following reconnection. select the profile you wish to modify and click Select. 2 In the Add new interface dialog box. Creating Bridges To create a bridge: 1 On the Networking > Interfaces > Interfaces page. click Add new interface. select the ports to be used as bridge members. Advanced Firewall deletes the profile. edit and delete bridges. Modifying Profiles To modify a profile: 1 On the Networking > Interfaces > Connectivity page. The following sections explain how to create.

Creating Bonds To create a bond: 1 On the Networking > Interfaces > Interfaces page. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces page. See Creating Bridges on page 33 for information on the settings available. For more information. Bridge member – Select to use the bond as a member of a bridge. Editing Bridges To edit a bridge: 1 On the Networking > Interfaces > Interfaces page. Ports From the ports listed as available. 3 Click Save changes. see Working with Bridges on page 33. select the ports to be used as bond members. Basic interface – Select to use the bond as an interface with one or more IP addresses on it. Click Add. Type Select Bonding. Deleting Bridges To delete a bridge: 1 On the Networking > Interfaces > Interfaces page. 2 In the Edit interface dialog box. make the changes needed. configure the following settings: Setting Description Name Enter a name for the bond. point to the bridge and click Edit. click Add new interface. 2 When prompted. Bonding enables the NICs to act as one thus providing high availability. Working with Bonded Interfaces Advanced Firewall enables you to bind two or more NICs into a single bond. Click Add. click Delete to confirm you want to delete the bridge.Working with Interfaces Working with Bonded Interfaces 3 Setting Description MAC Accept the displayed MAC address or enter a new one. MAC 3 34 Accept the displayed MAC address or enter a new one. . Advanced Firewall applies the changes. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces page. 2 In the Add new interface dialog box. Advanced Firewall deletes the bridge. point to the bridge and click Delete. Use as Select one of the following: External – Select to use the bond as an external interface.

Note: External aliases are configured on the Networking > Interfaces > External aliases page. See Chapter 4. Click Add. point to the bond and click Edit.Smoothwall Advanced Firewall Administrator’s Guide Editing Bonds To edit a bond: 1 On the Networking > Interfaces > Interfaces page. click on the interface you want to add an IP address to. 2 In the IP addresses dialog box. make the changes needed and click Save changes. 2 In the Edit interface dialog box. 2 In the IP addresses dialog box. Advanced Firewall deletes the bond. click Add new address. Advanced Firewall applies the changes. point to the address and click Edit. IP address Enter an IP address. click Delete to confirm you want to delete the bond. Gateway Optionally. 3 Click Save changes. make the changes needed. point to the bond and click Delete. Advanced Firewall applies the changes. Editing an IP Address To edit an IP address: 1 On the Networking > Interfaces > Interfaces page. Creating an External Alias Rule on page 45 for more information. enter a gateway. Deleting Bonds To delete a bond: 1 On the Networking > Interfaces > Interfaces page. See Creating Bonds on page 34 for information on the settings available. In the Add new address dialog box. click on the interface whose IP address you want to edit. 2 When prompted. 3 In the Edit address dialog box. edit and delete IP addresses used by interfaces. Adding an IP Address To add an IP address: 1 On the Networking > Interfaces > Interfaces page. Advanced Firewall adds the IP address to the interface. Configuring IP Addresses The following sections explain how to add. Subnet mask Enter the subnet mask. configure the following settings: 3 Setting Description Status Select Enabled to enable the IP address for the NIC. 35 .

Bridge interface – From the drop-down list. configure the following settings: Setting Description Name Enter a name for the VLAN. 3 When prompted. Spoof MAC – Optionally. Parent interface From the drop-down list of NICs available. Creating a VLAN To create a VLAN: 1 On the Networking > Interfaces > Interfaces page. Type Select VLAN. Spoof MAC – Optionally. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. enter a spoof MAC if required. For more information about whether MAC spoof settings are required. 2 In the Add new interface dialog box. Note: We do not recommend using a VLAN tag of 1 as this can cause problems with some equipment Use as External – Select to use the VLAN as an external interface. click Add new interface. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required. Bridge member – Select to use the VLAN as part of a bridge. point to the address and click Delete. just as if it were a regular network zone attached to a real NIC. consult the documentation supplied by your ISP and modem supplier. enter a spoof MAC if required. click on the interface whose IP address you want to delete.4095 to create a separate network. VLAN ID If required. click Delete. Advanced Firewall deletes the address. consult the documentation supplied by your ISP and modem supplier. 36 . select the interface to use. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly.Working with Interfaces Virtual LANs Deleting an IP Address To edit an IP address: 1 On the Networking > Interfaces > Interfaces page. For more information. see Working with Bridges on page 33. Virtual LANs Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. consult the documentation supplied by your ISP and modem supplier. select which bridge interface to use. enter a tag in the range 1 . Spoof MAC – Optionally. enter a spoof MAC if required. 2 In the IP addresses dialog box. For more information about whether MAC spoof settings are required. Basic interface – Select to use the VLAN as a basic interface. Each VLAN is treated by Advanced Firewall as an isolated network zone.

Deleting a VLAN To delete a VLAN: 1 On the Networking > Interfaces > Interfaces page. See Creating a VLAN on page 36 for information on the settings available. point to the VLAN and click Delete. point to the VLAN and click Edit. click Delete to confirm. 2 In the Edit interface dialog box. The VLAN is added to the list of interfaces below where you can configure it. Editing a VLAN To edit a VLAN: 1 On the Networking > Interfaces > Interfaces page. Advanced Firewall deletes the VLAN. make the changes needed and click Save changes. 37 . 2 When prompted.Smoothwall Advanced Firewall Administrator’s Guide 3 Click Add.

Working with Interfaces Virtual LANs 38 .

floors and buildings into their own subnets. 2 Configure the following settings: Setting Description Network Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. usually with network hubs and switches. Netmask Enter a network mask that specifies the size of the subnet when combined with the network field. To create a subnet rule: 1 Navigate to the Networking > Routing > Subnets page. Note: This functionality only applies to subnets available via an internal gateway.Chapter 4 Managing Your Network Infrastructure In this chapter: • Creating subnets and internal subnet aliases • Enabling and configuring the RIP service Creating Subnets Large organizations often find it advantageous to group computers from different departments. 39 .

A RIP-enabled gateway passes its entire routing table to its nearest neighbor. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The rule is added to the Current rules table. typically every 30 seconds. use Edit and Remove in the Current rules area. Using RIP The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. . Click Add. Editing and Removing Subnet Rules To edit or remove existing subnet rules. 3 Metric Enter a router metric to set the order in which the route is taken. To configure the RIP service: 1 40 Navigate to the Networking > Routing > RIP page.Managing Your Network Infrastructure Using RIP Setting Description Gateway Enter the IP address of the gateway device by which the subnet can be found. This sets the order in which the route is evaluated. export or combined import/export mode • Support password and MD5 authentication • Export direct routes to the system’s internal interfaces. Comment Enter a description of the rule. Advanced Firewall’s RIP service can: • Operate in import. This will be an address on a locally recognized network zone. Enabled Select to enable the rule. with 0 being the highest priority and the default for new routes. The gateway address must be a network that Advanced Firewall is directly attached to.

Scan interval From the drop-down menu. The following options are available: Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. a plain text password is specified which must match other RIP devices. 41 . For networks with greater numbers of hosts. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Enabled Select to enable the RIP service. Again If Password is selected as the authentication method. administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. Logging level From the drop-down menu. Select a frequent scan interval for networks with fewer hosts. choose a less frequent scan interval. select the time delay between routing table imports and exports. an MD5 hashed password is specified which must match other RIP devices. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. Select one of the following options to manage authentication: None In this mode. network hosts and the scan frequency of the RIP service. Accordingly. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. Direction From the drop-down menu. Password If Password is selected as the authentication method. Password In this mode. routing information can be imported and exported between any RIP device. RIP interfaces Select each interface that the RIP service should import/export routing information to/from. Authentication Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. select the level of logging. Note: There is a performance trade-off between the number of RIP-enabled devices. select how to manage routing information. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. re-enter the password to confirm it. enter a password for RIP authentication. MD5 In this mode. We do not recommend this option from a security standpoint.

Creating Source Rules Source rules route outbound traffic from selected network hosts through a particular external interface. Internal interface From the drop-down menu. ranges of hosts or subnet ranges. 3 Click Save. 2 Configure the following settings: 42 Setting Description Source IP or network Enter the source IP or subnet range of internal network host(s) specified by this rule. see About IP Address Definitions on page 43.Managing Your Network Infrastructure Sources Setting Description Direct routing interfaces Optionally. This ensures that other RIP devices are able to route directly and efficiently to each exported interface. . Source rules can be created for individual hosts. To create a source rule: 1 Navigate to the Networking > Routing > Sources page. Sources The Sources page is used to configure source rules which determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. select interfaces whose information should also include routes to the RIP service’s own interfaces when exporting RIP data. For more information. select the internal interface that the source IP must originate from to use the external connection.

see Sources on page 42.168.168. select the external interface that is used by the specified source IP or network for external communication. written as quartet of dotted decimal values. no matter what interface is currently being used by the primary connection.g. Editing a Rule To edit a rule: 1 Locate it within the Current rules region.255. 43 . so a rule will only travel down this list of ports if it does not first hit a sources rule. Alternatively.168.168.1 IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP addresses. Enabled Select to activate the rule. and click Add.0/24 defines a subnet range of IP addresses from 192. 192.10.Smoothwall Advanced Firewall Administrator’s Guide Setting Description External interface From the drop-down menu.255.0 to 192. 2 Alter the configuration values as necessary.0 defines a subnet range of IP addresses from 192. enter a description for the source rule.255.0 to 192.10.168.168. Ports The Ports page is where you route outbound traffic for selected ports through a particular external interface. 192. For example.168.10. network and internal interface is routed via the primary external interface.255 IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation. Note: Using Exception will always send traffic out via the primary. select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP. Click Add. For more information. Note: The rules specified on the sources pages will always be examined first. 192. e.10. Note: If the external interface is set to Exception. 3 Comment Optionally.g.10.10. About IP Address Definitions Single or multiple IP addresses can be specified in a number of different manners: IP address – An identifier for a single network host.g. e. e. select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values. Removing a Rule To remove one or more rules: 1 Select each rule in the Current rules area and click Remove. any traffic specified here will not be subject to any load balancing.10. you can create a rule to send all SMTP traffic down a specific external interface.0/255.

44 . 2 In the Add a new rule area. select the protocol the traffic uses. select the external interface to use. The rule is updated and listed in the Current rules area. 2 Configure the following settings: Setting Description Protocol From the drop down menu.Managing Your Network Infrastructure Ports Creating a Ports Rule Port rules route outbound traffic for selected ports through a particular external interface. Service From the drop down menu. port range or group of ports. make the changes you require and click Add. Note: Using Exception will always send traffic out via the primary. Editing a Rule To edit a rule: 1 Select the rule in the Current rules area and click Edit. The rule is created and listed in the Current rules area. enter the port number. To create a ports rule: 1 Navigate to the Networking > Routing > Ports page. no matter what interface is currently being used by the primary connection. 3 Comment Enter a description of the rule. Removing Rules To remove one or more rules: 1 Select each rule in the Current rules area and click Remove. Click Add to create the rule. Port If the service is user defined. External interface From the drop-down menu. Select Exception to never route the traffic via an alternative interface. select the select the services. Enabled Select to enable the rule currently active.

3 Alias IP Enter the IP address of the external alias. Netmask Used to specify the network mask of the external alias. Select Click to select the interface. Comment A field used to assign a helpful message describing the external alias rule. The external alias rule is added to the Current rules table. 45 . Enabled Determines whether the external alias rule is currently active. irrespective of the currently active connection profile. use Edit and Remove in the Current rules region.Smoothwall Advanced Firewall Administrator’s Guide Creating an External Alias Rule Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced Firewall by creating external aliases. This is particularly useful for creating aliases for connection profiles that are used as failover connections. To create an external alias rule: 1 Navigate to the Networking > Interfaces > External aliases page. Editing and Removing External Alias Rules To edit or remove existing external alias rules. Named connection profile – The external alias will only be active if the named connection profile is currently active. This address should be provided by your ISP as part of an multiple static IP address allocation. select the external interface to which you want to bind an additional public IP address. 2 Configure the following settings: Setting Description External interface From the drop-down list. This value should be provided by your ISP. An external alias binds an additional public IP address to Smoothwall System’s external interface. This value is usually the same as the external interface's netmask value. Options include: All – The external alias will always be active. Click Add. Connectivity profile Used to determine when the external alias is active.

100. select the external alias that outbound communication is mapped to.168. . enter 192. This allows outbound communication from specified hosts to appear to originate from the external alias IP address.255. enter an appropriate IP address and subnet mask combination. enter its IP address. 2 Configure the following settings: Setting Description Source IP Enter the source IP or network of hosts to be mapped to an external.168. This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic. 3 46 Alias IP From the drop-down list.Managing Your Network Infrastructure Creating a Source Mapping Rule Port Forwards from External Aliases Advanced Firewall extends your system’s port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias. For a single host.e. If the incoming IP address is an external alias. Creating a Source Mapping Rule Advanced Firewall enables you to map internal hosts to an external IP alias. Use the existing Networking > Firewall > Port forwarding page and select the required external alias from the Source IP drop-down list. The source mapping rule is added to the Current rules table. For all hosts. and outbound mail fails to mirror the IP address as its source. leave the field blank. some SMTP servers will reject the mail.255. For a network of hosts. This is because the mail will not appear to originate from the correct IP address. i. A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address.100. instead of the default.0/255.1 through to 192. To create a source mapping rule: 1 Navigate to the Networking > Firewall > Source mapping page. for example. the Advanced Firewall default external IP is not the MX for the email domain. No special configuration is required to use this feature.168.0 will create a source mapping rule for hosts in the IP address range 192.100. Comment Enter a description of the rule. real external IP. by creating source mapping rules. Enabled Select to enable the rule.255. Click Add.

use Edit and Remove in the Current rules area.Smoothwall Advanced Firewall Administrator’s Guide Editing and Removing Source Mapping Rules To edit or remove existing source mapping rules. Note: This function is recommended only for experienced network administrators. as it is impossible for it to know which subnet (physical or logical) that the client should be on. thus enabling it to route packets to and from IP addresses on a virtual subnet – without the need for physical switches. Network users can join a logical subnet by changing their IP address. Note: No services will run on the alias IP. Internal alias rules are used to create such bindings on an internal network interface. as there are a number of security implications and limitations that using this feature will impose on the rest of your network. • No direct DNS or proxy access – The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Note: Use of this feature is not normally recommended for the following reasons: • No physical separation – Internal aliases should not be considered as a substitute for physically separating multiple networks. • No DHCP service – DHCP servers cannot serve a logical subnet. Requests for such services must be routed via the IP address of the physical interface – this is not the case when an alias is in use. 47 . Internal aliases can be used to create logical subnets amongst hosts within the same physical network zone. Managing Internal Aliases Advanced Firewall can be configured to create internal aliases for each installed NIC. Creating an Internal Alias Rule To create an internal alias rule: 1 Navigate to the Interfaces > Internal aliases page. internal aliases should only be created in special circumstances. Generally.

IP address Enter an IP address for the internal alias. A secondary external interface will operate independently of the primary external interface. Editing and Removing Internal Alias Rules To edit or remove existing internal alias rules. Working with Secondary External Interfaces The Secondaries page is used to configure an additional. ranges of hosts and subnets out across either the primary or secondary external interface. To configure a secondary external interface: 1 48 Navigate to the Networking > Interfaces > Secondaries page. Configuring a Secondary External Interface Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces. NATing its own outbound traffic. Once a secondary external interface is active. . Click Add.Managing Your Network Infrastructure Working with Secondary External Interfaces 2 Configure the following settings: Setting Description Interface From the drop-down menu. the system can be configured to selectively route different internal hosts. The internal alias rule is added to the Current rules table. select the internal interface on which to create the alias. Enabled Select to enable the rule. secondary external interface. Comment Enter a description of the rule. 3 Netmask Enter a network mask that specifies the size of the subnet accessible via the internal alias (when combined with a network value). use Edit and Remove in the Current rules area.

specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. primary or secondary. the IP address is pinged every two minutes over the secondary to ensure that the connection is active. the IP address is pinged every two minutes over the secondary to ensure that the connection is active. that have themselves been added to the proxy load balancing pool. If a secondary failover IP has been entered.If no load balance tick-box controls are selected. select to add the currently selected secondary address to the load outgoing traffic balancing pool of connections. If this IP address cannot be contacted. all outbound traffic will be redirected to the primary connection. Enabled Select to enable the interface Primary failover Optionally. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections. specify an IP address that you know can be contacted if the ping IP secondary connection is operating correctly. Default gateway Enter the default gateway. If this IP address and the primary failover ping IP cannot be contacted. it must also fail before failover routing is activated. Note . When enabled. all outbound traffic will be redirected to the primary connection. When enabled. that have been added to the load balancing pool. all traffic will be sent out of the primary external connection. Netmask Enter the netmask. primary or secondary. all traffic will be sent out of the primary external connection. Address Enter the IP address. Load balance web proxy traffic Optionally.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Secondary external interface From the drop-down list. Secondary failover ping IP Optionally. select the interface you want to use as the secondary external interface. Note: If no load balance options are enabled. Load balance Optionally. Select Click to select the interface. 49 . select to add the currently selected secondary address to the proxy load balancing pool. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections.

• A connection weighted 6 will be given 3 times as much load as a connection weighted 2. The weighting value is especially useful for load balancing external connections of differing speeds. . For example: • A connection weighted 10 will be given 10 times as much load as a connection weighted 1. select to set the weighting for load balancing on the currently selected secondary address. • A connection weighted 2 will be given twice as much load as a connection weighted 1.Managing Your Network Infrastructure Working with Secondary External Interfaces Setting Description Weighting Optionally. A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. 3 50 Click Save to save your settings and enable the secondary external interface.

it is sometimes useful to use this feature to block internal hosts. however. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts. for example. To create an IP block rule: 1 Navigate to the Networking > Filtering > IP block page. Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network addresses to always be allowed. IP block rules are primarily intended to block hostile hosts from the external network.Chapter 5 General Network Security Settings In this chapter: • Using IP blocking to block source IPs and networks • Reviewing network interface information • Fine-tuning network communications using the advanced networking features • Creating groups of ports for use throughout Advanced Firewall. if an internal system has been infected by malware. or between certain parts of distinct networks. 51 .

10.10.1-192.168.1. enter an appropriate subnet range.255. 192.168. To block or exempt: • An individual network host.255.0/255. • A subnet range of network hosts.168. Editing and Removing IP Block Rules To edit or remove existing IP block rules. Comment Optionally. enter its IP address.0/24. and another IP block rule creates exception IP addresses against it. for example: 192. Exception Select to always allow the source IPs specified in the Source IP or Network field to communicate.10. IP range or subnet range of IP addresses to block or exempt. describe the IP block rule.10. Destination IP or Enter the destination IP.168. regardless of all other IP block rules.10. IP range or subnet range of IP addresses to block or network exempt.168. enter its IP address. The effect is similar to disconnecting the appropriate interface from the network. To block or exempt: • An individual network host.10. for example. • A subnet range of network hosts. Enabled Select to enable the rule.0 or 19 Drop packet Select to ignore any request from the source IP or network.10.15. 52 .10. 192.0/255. The rule is added to the Current rules table.General Network Security Settings Configuring Advanced Networking Features 2 Configure the following settings: Control Description Source IP or network Enter the source IP. enter an appropriate subnet range. • A range of network hosts.168. Such traffic is not routed via the firewall.10. where one IP block rule drops traffic from a subnet range of IP addresses. for example.255. for example. for example: 192. enter an appropriate IP address range.168. • A range of network hosts. for example: 192.168. and therefore cannot be blocked by it. Reject packet Select to cause an ICMP Connection Refused message to be sent back to the originating IP. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Click Add.15. Exception block rules are typically used in conjunction with other IP block rules.1. use Edit and Remove in the Current rules area.255.0 or 192. and no communication will be possible. 3 Log Select to log all activity from this IP. for example: 192.1-192.168. Configuring Advanced Networking Features Advanced Firewall’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption. enter an appropriate IP address range.

2 Configure the following feature settings: Setting Description Block and ignore ICMP ping broadcasts – Select to prevent the system responding to broadcast ping messages from all network zones (including external). This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings. but this can also make connectivity problems more difficult to diagnose. If your logs contain a high volume of IGMP entries. IGMP packets – Select this option to block and ignore multi-cast reporting Internet Group Management Protocol (IGMP) packets. This can prevent the effects of a broadcast ping-based DoS attack. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. 53 .Smoothwall Advanced Firewall Administrator’s Guide To configure advance networking features: 1 Navigate to the Networking > Settings > Advanced page. Generally.0. the scan packets are automatically discarded and are not logged.0 from ISPs and prevent them generating large volumes of spurious log entries. enable this option to ignore IGMP packets without generating log entries. With this option enabled. ICMP ping – Select to block all ICMP ping requests going to or through Advanced Firewall.0. Multicast traffic – Select this option to block multicast messages on network address 224. SYN+FIN packets – Select to automatically discard packets used in SYN+FIN scans used passively scan systems. SYN+FIN scans result in large numbers of log entries being generated.

is insufficient – use this field to configure a larger size. This option can be enabled if your network is experiencing ARP flux. In normal situations. select a bigger value. and some routers are known to drop packets marked with the ECN bit. ARP filter – Select this option to enable the ARP filter. which is set according to the amount of memory. and traffic passing through the firewall. it requires communicating hosts to support it. The default value for this setting is usually adequate. table size This includes NATed sessions. The use of SYN cookies is a standard defence mechanism against this type of attack. Window scaling – Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. but in very big networks. In operation. the table is automatically scaled to an appropriate size within this limit.General Network Security Settings Configuring Advanced Networking Features Setting Enable Description SYN cookies – Select to defend the system against SYN flood attacks. the default value of 2048 will be adequate. this feature is disabled by default. ARP table size You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the drop-down box. SYN packets. the default size. Selective ACKs – Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. TCP timestamps – Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links. Connection tracking Select to store information about all connections known to the system. are sent to a machine in the hope that it will be overwhelmed. SYN backlog queue size Select this option to set the maximum number of requests which may be waiting in a queue to be answered. 54 . A SYN flood attack is where a huge number of connection requests. but increasing the value may reduce connection problems for an extremely busy proxy service. The value entered in this field determines the table’s maximum size. the aim being to avoid a DoS attack. a mechanism for avoiding network congestion. For this reason. according to the number of active connections and their collective memory requirements. Occasionally. While effective. ECN – Select this option to enable Explicit Congestion Notification (ECN). Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Advanced Firewall's network interfaces.

Ensure that the quantity of logs generated is acceptable. Note: It is possible that auditing traffic generates vast amounts of logging data. outgoing and forwarded traffic. 55 . 3 Click Save to enable the settings you have selected. Direct outgoing traffic – Select to log all new connections from any interface. Forwarded traffic – Select to log all new connections passing through one interface to another. Direct incoming traffic – Select to log all new connections to all interfaces that are destined for the firewall. you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Audit Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming. For example. Drop all direct traffic Select any internal interfaces which have hosts on them that do not require on internal interfaces direct access to the system but do require access to other networks connected to Advanced Firewall. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. In this way you could easily add a new service to all your DMZ servers. Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall. Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page.

ports or port range is added to the group. 2 In the Port groups area. Port Enter the port number or numbers. enter the start and end numbers. Name 56 Enter a name for the port or range of ports you want to add to the group. Name Enter a name for the port or range of ports you want to add to the group. Adding Ports to Existing Port Groups To add a new port: 1 Navigate to the Networking > Settings > Port groups page. Click Add. separated by : for example: 1024:65535 For non-consecutive ports. For one port. 2 Configure the following settings: Setting Description Port groups From the drop-down list. create a separate entry for each port number.General Network Security Settings Working with Port Groups Creating a Port Group To create a port group: 1 Navigate to the Networking > Settings > Port groups page. select the group you want to add a port to and click Select. enter the number. Comment 3 Optionally. click New and configure the following settings: Setting Description Group name Enter a name for the port group and click Save. . add a descriptive comment for the port or port range. For a range. The port.

ports or range are added to the group. Editing Port Groups To edit a port group: 1 Navigate to the Networking > Settings > Port groups page. add a descriptive comment for the port or port range. 2 From the Port groups drop-down list. The port. Click Add. 3 In the Current ports area. select the group you want to delete and click Select. The edited port. select the group you want to edit and click Select. 2 From the Port groups drop-down list. For one port. 4 In the Add a new port. select the port you want to change and click Edit. Deleting a Port Group To delete a Port group: 1 Navigate to the Networking > Settings > Port groups page. 57 . ports or range is updated. For a range. enter the start and end numbers. Note: Deleting a port group cannot be undone. separated by : for example: 1024:65535 Comment 3 Optionally. enter the number. 3 Click Delete. edit the port and click Add.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Port Enter the port number or numbers.

General Network Security Settings Working with Port Groups 58 .

Destination Defines whether the bridge allows access to an individual host. Protocol Defines what protocol can be used across the bridge. a range of hosts.Chapter 6 Configuring Inter-Zone Security In this chapter: • How bridging rules allow access between internal network zones.g. A zone bridging rule defines a bridge in the following terms: Term Description Zones Defines the two network zones between which the bridge exists. a bi-directional. Direction Defines whether the bridge is accessible one-way or bi-directionally. a one-way. single-host to single-host bridge. It is possible to create a narrow bridge. using a named port and protocol. e. In general. 59 . a network or any host. Zone bridging is the process of modifying this. a network or any hosts. Creating a Zone Bridging Rule Zone bridging rules enable communications between specific parts of separate internal networks. e. About Zone Bridging Rules By default. Source Defines whether the bridge is accessible from an individual host. or a wide or unrestricted bridge. a range of hosts. using any port and protocol. all internal network zones are isolated by Advanced Firewall. in order to allow some kind of communication to take place between a pair of network zones. any-host to any-host bridge.g. make bridges as narrow as possible to prevent unnecessary or undesirable use. Service Defines what ports and services can be used across the bridge.

168.168. select the source network zone. leave the field blank. • A range of network hosts.168.1.168.1.0/24.0/255. for example.10. IP range or subnet range to which access is permitted.0 or 192.255. Source IP Enter the source IP.168.15. IP range or subnet range from which access is permitted.10. for example: 192.15. • A subnet range of network hosts.10.0/24.168.Configuring Inter-Zone Security Creating a Zone Bridging Rule To create a zone bridging rule: 1 Navigate to the Networking > Filtering > Zone bridging page. Bidirectional Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface.0/255. for example: 192.10. enter an IP address range.10. for example: 192.1-192. • A range of network hosts. 192. 192. select the destination network zone. • A subnet range of network hosts.168. Enter the destination IP. To create a bridge to: • A single network.10. leave the field blank.1-192.168. select a specific protocol to allow for communication between the zones or select All to allow all protocols.168. Protocol From the drop-down list. enter an appropriate IP address range: for example. 192.255. Destination interface From the drop-down menu. • Any network host in the source network. enter its IP address. 2 Configure the following settings: Setting Description Source interface From the drop-down menu.168.255.10.0 or 192. • To create a bridge to any network host in the destination network. To create a bridge from: Destination IP 60 • A single network host. enter its IP address.10.255. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface and not vice versa. enter an appropriate subnet range. for example. .10.10. enter a subnet range. ensure that this option is not selected.

Destination interface From the drop-down menu. leave the field blank to permit access to all ports for the relevant protocol. 61 . we will use the following two local network zones: Network zone Description IP address Protected network Contains local user workstations and confidential business data. Creating the Zone Bridging Rule To create the rule: 1 Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Settings Description Source interface From the drop-down menu. 3 Comment Enter a description of the bridging rule. Enabled Select to enable the rule. specify the port number.168. • Does not allow access to the protected network from the DMZ. Or. Protocol From the drop-down list. A single zone bridging rule will satisfy the bridging requirements. • Allows unrestricted access to the DMZ from the protected network. select the DMZ. select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. select All. A Zone Bridging Tutorial In this tutorial. Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules.168. Note: This is only applicable to TCP and UDP. Port If User defined is selected as the destination port.0/24 DMZ Contains a web server.200. Click Add. 192. while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ. select the services.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Service From the drop-down list. port range or group of ports to which access is permitted. The rule is added to the Current rules table. from the Internet. neither zone can see or communicate with the other. 192. Or. we will create a DMZ that: • Allows restricted external access to a web server in the DMZ.100. In this example. use Edit and Remove in the Current rules area. select the protected network.0/24 Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created.

Destination IP Enter the IP address of the web server 192. Enabled Select Enabled to activate the bridging rule once the bridging rule has been added.168. Port The database service is accessed on port 3306. Source IP Enter the web server’s IP address: 192.200. Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones.200. To create the rule: 1 Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Setting Description Source interface From the drop-down menu.100. Click Add.10. a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network. Hosts in the protected network will now be able to access any host or service in the DMZ. Comment Enter a comment: DMZ web server to Protected Network DB. select TCP. such as Port forward to DMZ web server. . Protocol From the drop-down menu. select HTTP (80) to forward HTTP requests to the web server. select Protected Network.50 Service Select User defined. Enabled Select to activate the bridging rule once it has been added. select DMZ. Click Add.10 Destination IP Enter the database’s IP address: 192. Allowing Access to the Web Server To allow access to a web server in the DMZ from the Internet: 1 2 Navigate to the Networking > Firewall > Port forwarding page and configure the following settings: Setting Description Protocol From the drop-down list.Configuring Inter-Zone Security A Zone Bridging Tutorial 2 Settings Description Comment Enter a description of the rule. Enabled Select to activate the port forward rule once it has been added. but not vice versa. select TCP. Comment Enter a description. Source From the drop-down menu.168. As a extension to the previous example. Enter 3306. 2 62 Destination interface From the drop-down menu.168. Click Add.

Authenticated groups of users can be bridged to a particular network by creating group bridging rules. Authentication and User Management on page 193. either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page. using any port and protocol). allow access to a single host. IP ranges. group bridges can be narrow (e. authenticated users may only access network resources within their current network zone. 63 . subnets and ports within a specified network zone. Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. For further information about authentication. Group bridging is the process of modifying this default security policy. Protocol – Defines what protocol can be used across the bridge.g. a range of hosts. Service – Defines what ports and services can be used across the bridge. using a named port and protocol) or wide (e. In general. Users can authenticate themselves using the authentication system’s Login mechanism. allow access to any host. see Chapter 10.Smoothwall Advanced Firewall Administrator’s Guide Group Bridging By default. Group Bridging and Authentication Group bridging uses the core authentication mechanism. bridges should be made as narrow as possible to prevent unnecessary or undesirable use. in order to allow authenticated users from any network zone to access specific IP addresses. Destination – Defines whether the bridge allows access to an individual host. Authentication can also be provided by any other mechanism used elsewhere in the system. meaning that users must be preauthenticated before group bridging rules can be enforced by Advanced Firewall. Zone – The destination network zone. a subnet of hosts or any hosts.g. Like zone bridges. A group bridging rule defines a bridge in the following terms: Group – The group of users from the authentication sub-system that may access the bridge. or that are allowed by any active zone bridging rules.

0 or 192.10.255. Click Add. To allow any service or port to be used.255. Service From the drop-down list. To create a rule to allow access to: • A single network host in the destination network. enter a destination port or range of ports. select the group of users that this rule will apply to.Configuring Inter-Zone Security Group Bridging To create a group bridging rule: 1 Navigate to the Networking > Filtering > Group bridging page. . port or port range to be used. 2 Configure the following settings: Setting Description Groups From the drop-down menu.1-192. Destination interface Select the interface that the group will be permitted to access.0/24.168. enter an appropriate IP address range.10. leave the field blank. select User defined and leave the Port field empty. select User defined and enter a port number in the Port field.10. The rule is added to the Current rules table. select the service.168.1.168. for example: 192. Comment Enter a description of the rule. Enabled Select to enable the rule.10. 3 64 Port If applicable. IP range or subnet range that the group will be permitted to access.10. Destination IP Enter the destination IP. • Any network host in the destination network. • A subnet range of network hosts in the destination network. for example: 192. enter an appropriate subnet range.15. • A range of network hosts in the destination network. To restrict to a custom port. Select Click to select the group. select a specific protocol to allow for communication between the zones or select All to allow all protocols. enter its IP address. all ports for the relevant protocol will be permitted. Protocol From the drop-down list.168. If this field is blank.168.0/ 255. for example: 192.

use the Edit and Remove buttons in the Current rules region.Smoothwall Advanced Firewall Administrator’s Guide Editing and Removing Group Bridges To edit or remove existing group bridging rules. 65 .

Configuring Inter-Zone Security Group Bridging 66 .

67 . Source IP Forward traffic if it arrived at a particular external interface or external alias. regardless of whether the external interface connects to the Internet or some other external network zone.168.2. If the web server has an IP address of 192. however. Destination IP A port forward will send traffic to a specific destination IP.2. IP address range or subnet range. Introduction to Port Forwards – Inbound Security Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone.Chapter 7 Managing Inbound and Outbound Traffic In this chapter: • How port forward rules work • Application helpers which allow traffic passing through the firewall to work correctly • How to manage outbound access to IP addresses and networks. Destination port A port forward will send traffic to a specific destination port. Port Forward Rules Criteria Port forward rules can be configured to forward traffic based on the following criteria: Criterion Description External IP Forward traffic if it originated from a particular IP address. port forwards can be used to forward any type of traffic that arrives at an external interface. you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ).168. It is common to think of such requests arriving from hosts on the Internet. you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192. Protocol Forward traffic if it uses a particular protocol.60.60. For example. Port Forward traffic if it was destined for a particular port or range of ports.

if you have a secondary external connection you can assign a port forward explicitly to it. select the interface that the port forward will be bound to. select the network protocol for the traffic that you want to forward.e. leave this field blank. a DMZ scenario. Port forwards allow unknown hosts from the external network to access a particular internal host. Or. choose the TCP option. 68 . address range or subnet range of the external hosts allowed to use this rule. For example. that preferably contain no confidential or security-sensitive network hosts. Creating Port Forward Rules To create a port forward rule: 1 Navigate to the Networking > Firewall > Port forwarding page. Use the Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network. to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server). For this reason. they may gain access to other hosts in the network. to port forward a HTTP request. 2 Configure the following settings: Setting Description External interface From the drop-down menu. Any network is only as secure as the services exposed upon it. However. Protocol From the drop-down list. By default. Select Click to select the external interface specified. If a cracker manages to break into a host that they have been forwarded to. which is a TCP-based protocol.Managing Inbound and Outbound Traffic Introduction to Port Forwards – Inbound Security Note: It is important to consider the security implications of each new port forward rule. i. a port forward is bound to the primary external connection. we recommend that all port forwards are directed towards hosts in isolated network zones. External IP or network Enter the IP address.

Or. enter a single port or port range. Deploying Intrusion Prevention Policies on page 115 for more information.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Log Select to log all port forwarded traffic. Port ranges are specified using an A:B notation. Load Balancing Port Forwarded Traffic Advanced Firewall enables you to load balance port forwarded traffic to different network hosts. See Creating Port Forward Rules on page 68 for more information. Enabled Select to enable the rule. Editing and Removing Port Forward Rules To edit or remove existing port forward rules. use Edit and Remove in the Current rules area. If left blank and the source service value specified a port range. then this will be used as the target. reflective port forwarding and connectivity failback. Source IP Select the external IP alias that this rule will apply to. the destination port will be the same as the port that the connection came in on. to specify a user defined port. Advanced Firewall automatically balances the traffic between the hosts. port. To load balance port forwards: 1 On the Networking > Firewall > Port forwarding page. 3 Comment Enter a description of the port forward rule. Destination service From the drop-down menu. See Chapter 8. The port forward rule is added to the Current rules table. Or. Click Add. Advanced Network and Firewall Settings The following sections explain network application helpers. Leave this field empty to create a port forward that uses the source port as the destination port. 69 . Source service From the drop-down menu. select User defined. User defined If User defined is selected in the Source service drop-down menu. 2 On the Networking > Firewall > Port forwarding page. In most cases. how you can manage bad traffic actions. select User defined. select the service. Note: Only applies to the protocols TCP and UDP. Destination IP Enter the IP address of the network host to which traffic should be forwarded. enter a destination port. For example: 1000:1028 covers the range of ports from 1000 to 1028. port. select the service. IPS Select to deploy intrusion prevention. port range or group of ports. If it contains a single port. User defined If User defined is selected as the destination service. create a port forward rule to the first network host. port range or group of ports. create another port forward rule using exactly the same settings except for the destination IP to the second network host. this will be the IP of the default external connection.

For this reason. it is still possible for PPTP clients to connect through to a server on the outside. In this case. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. The following helper applications are available: Application Description FTP IP information is embedded within FTP traffic – this helper application ensures that FTP active mode client connections are not adversely affected by the firewall. this option is not enabled by default. This is the PPTP client protocol used in standard Windows VPNing. it will not be possible to make VoIP calls. 70 . this application helper should be used.Managing Inbound and Outbound Traffic Advanced Network and Firewall Settings Network Application Helpers Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly. with this option enabled. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. it is not possible to forward PPTP traffic. it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. loads modules to enable passthrough of H323. To enable helper applications: 1 Navigate to the Networking > Firewall > Advanced page. IRC IP information is embedded within IRC traffic – this helper application ensures that IRC communication is not adversely affected by the firewall. a common protocol used in Voice over IP (VoIP) applications. support If this option is not selected. loads special software modules to help PPTP clients. We recommend that you only enable this feature if you require VoIP functionality. H323 When enabled. but not in all circumstances. Note: When this application helper is enabled. Advanced When enabled. Without this option enabled. Additionally.

2 From the Bad external traffic drop-down list. or Reject to reject the traffic and notify the sender. 2 Enable Reflective port forwards and click Save changes. bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. 3 Click Save changes. 3 Click Save changes. select the application(s) you require. 3 Click Save changes to implement your selection. select the profile to use after reboot if the primary connectivity profile has failed. Managing Bad External Traffic By default. 2 From the Connectivity failback profile drop-down menu. in the Advanced area. port forwards are not accessible from within the same network where the destination of the forward resides. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would. 2 Optionally. Managing Connectivity Failback The following sections explain how to configure failback and automatic failback for connectivity profiles. However. To configure reflective port forwards: 1 Navigate to the Networking > Firewall > Advanced page. 71 . Connecting Using a Static Ethernet Connectivity Profile on page 20.Smoothwall Advanced Firewall Administrator’s Guide To enable a helper application: 1 In the Network application helpers area. Configuring Connectivity Failback The following section explains how to configure Advanced Firewall to revert to a specific connectivity profile after reboot if its primary connectivity profile has failed. To configure connectivity failback: 1 On the Networking > Firewall > Advanced page. To manage bad external traffic: 1 Navigate to the Networking > Firewall > Advanced page. select Drop to drop traffic silently. you can drop traffic silently which enables you to ‘stealth’ your firewall and make things like port scans much harder to do. go to the Connectivity Failback area. Using the Bad external traffic action option. see Chapter 3. Advanced Firewall applies and saves the changes. when enabled. select Drop to silently discard the traffic and not send a message to the sender. For more information on connectivity profiles. the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. This is what Internet hosts are meant to do. Configuring Reflective Port Forwards By default. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do.

Advanced Firewall automatically attempts to revert to the connectivity failback profile specified in the Connectivity Failback area daily. Currently. Advanced Firewall applies and saves the changes. When enabled. see Managing Blocked Services on page 74. the following port rules are predefined: Predefined port rules Description Allow all Allow unrestricted outbound access to the Internet. Predefined Port Rules Advanced Firewall contains a number of predefined. 2 Enable Automatic failback and click Save changes. 72 Reject known exploits Reject outbound access on the listed ports which are associated with many common exploits against programs and services. customizable port rules which allow or reject network traffic or specific services access on certain ports. This is attempted once a day. Working with Outbound Access Policies on page 76. For more information on outbound access rules.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Configuring Automatic Failback It is possible to configure Advanced Firewall to enable automatic failback. For more information. Managing Outbound Traffic and Services The following sections discuss port and access rules which are used to control outbound network traffic and services. go to the Connectivity Failback area. Allow basic services Allow services common to most user computers. Reject MS ports Reject outbound access on the listed ports which are associated with Microsoft Windows local area networking. . Working with Port Rules Port rules are used when creating outbound access rules which determine how outbound network traffic and services are managed. Reject all Reject all outbound access to the Internet except for listed ports. To configure automatic failback: 1 On the Networking > Firewall > Advanced page. Reject all P2P Reject all peer to peer outbound access to the Internet on listed ports. Allow email services Allow email services on listed ports. including web browsing (HTTP and HTTPS) and DNS on listed ports. Reject all with logging Reject all outbound access to the Internet except for listed ports and log the rejections.

73 . This name will be displayed where ever the rule can be selected. Allow only listed ports – Allow outbound access on listed ports but reject on all other ports. Action Select one of the following actions: Reject only listed ports – Reject outbound access on listed ports but allow on all other ports. 2 Click Add new port rule.Smoothwall Advanced Firewall Administrator’s Guide Creating a Port Rule It is possible to create a custom port rule. To create a port rule: 1 Navigate to the Networking > Outgoing > Ports page. The following dialog box opens. 3 Configure the following settings: Setting Description Name Enter a name for the port rule.

• From the drop-down menu. The port is added to the port rule. . Note: Some services use unpredictable port numbers to evade port-based outbound access rules. locate the port rule for which you want to configure services. Protocol From the drop-down menu. select the network protocol to add to the port. port range or group of ports you want to allow or deny access to. Note: This generates a lot of data and should be used with care. Enter a description of the port. The ports/services in the rule are displayed. Stealth mode 4 Select if you want to log but not reject outbound requests. select the port. Advanced Firewall adds the port rule to the Port rules list. see Managing Blocked Services on page 74 5 Click Add new port/service. To configure blocking services: 1 74 On the Networking > Outgoing > Ports page. Click Add.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Setting Description Rejection logging Select if you want to log outbound requests rejected by this rule. Click Add. see. The following dialog box opens. Click the rule’s content arrow. Destination port Select one of the following: Comment 7 • Any – Any destination port. for example: 1024:2048. Managing Blocked Services Advanced Firewall is able to detect and block service activity such as Skype and BitTorrent using deep packet inspection. To control access to these services. 6 Configure the following settings: Setting Description Status Select to enable the rule. A port range is specified using from:to notation. • Enter a custom port number or range of ports if User defined is selected in the Service drop-down list.

Editing a Port Rule’s Contents To edit the contents of a port rule: 1 On the Networking > Outgoing > Ports page. The ports/services contained in the rule are displayed. Deleting a Port Rule To delete a port rule: 1 On the Networking > Outgoing > Ports page. 3 Click Save changes to apply the changes and close the dialog box. 3 Click Save changes to apply the changes and close the dialog box. Contact your Smoothwall representative for more information 5 Click Save to save the settings and close the dialog box. 75 . point to the port rule and select Edit. click the rule’s content arrow. The ports/services contained in the rule are displayed. Editing a Port Rule To edit a port rule: 1 On the Networking > Outgoing > Ports page. make any changes required. 2 Point to the port/service and click Edit. point to the rule and select Delete. 4 Select the services you want to block. 2 In the Edit port rule dialog box.Smoothwall Advanced Firewall Administrator’s Guide 2 Click the rule’s content arrow. The following dialog box opens. See Creating a Port Rule on page 73 for information on the settings available. When prompted. make any changes required. Advanced Firewall applies the settings and starts blocking the services selected. 3 Point to Blocked services and click Edit. In the Edit port/service dialog box. click Delete to confirm that you want to delete the rule and its contents. Note: The types of services available depend on what Deep Packet Inspection licensing you have purchased. See Creating a Port Rule on page 73 for information on the settings available.

By default. You can reorder outbound access policies to suit your requirements. Port rule From the drop-down menu. If the outbound network traffic or service does not match any policy. 3 Configure the following settings: Setting Description Status Select Enabled to enable the policy. Advanced Firewall contains a default outbound access policy which uses the Allow all port rule and allows unrestricted outbound access to the Internet. Advanced Firewall does not apply any further policy matching. Note: Once the network traffic matches a policy. The following dialog box opens. 4 Click Add. 2 Click Add new policy. To assign a policy to a group of users: 1 Navigate to the Networking > Outgoing > Policies page. Group From the drop-down menu. see Working with Port Rules on page 72. For more information on port rules. Comment Enter a description for the policy. select the group to which the outbound access policy applies. Note: Once traffic matches a policy. select which port rule to use in the outbound access policy. Advanced Firewall does not apply any further policy matching. 76 . or • the source and/or destination of the traffic.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Working with Outbound Access Policies Advanced Firewall enables you to create policies which determine outbound access for network traffic and services depending on: • the group(s) an authenticated user belongs to. The policy is added to the list of groups. Creating Outbound Access Policies for Groups The Groups section is used to assign outbound access policies to traffic or services from users in an authenticated groups of users. 5 Place the policy where it is required by selecting it and using Up or Down. the Default policy is applied. or by dragging it to the correct position and clicking Save moves.

• A single destination IP address. configure the following settings: Setting Description Status Select to enable the policy.y) or a subnet (x.y) or a subnet (x. 3 In the Add new policy dialog box. In such situations. Advanced Firewall checks that the traffic does not break the port rule(s) assigned to that source and/or destination. Creating Outbound Access Policies for Traffic from Sources and/or Destinations When the source and/or destination IP addresses of outbound traffic match a policy in the Sources and Destination addresses. Name Enter a name for the policy. To create a policy: 1 Browse to the Networking > Outgoing > Policies page. Port rule From the drop-down list. For more information.x.x-y.x/y). Source Configure one of the following to apply the policy to.x.x.x.y. select the port rule to apply.y. a range (x.x. 2 Click Add new Policy. a range (x. Comment Enter a description for the policy.x. users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service. using the SSL Login page or by some other authentication method.y. see Working with Port Rules on page 72. • Any – Any destination IP address. 77 .y. Configure one of the following to apply the policy to.x. the user is unknown to the system and a policy cannot be applied. Destination • Any – Any source IP address.Smoothwall Advanced Firewall Administrator’s Guide Note: Group policies cannot be enforced in all circumstances.x/y). • A single source IP address.x. If a user has not actively authenticated themselves.x-y. Group policies are often more suitable for allowing access to ports and services.

point to the rule and select Delete. 2 In the Edit policy dialog box. make any changes required. select User defined. Port If User defined is selected in the Service drop-down menu. port. It will be removed in a future Advanced Firewall update. select the service. Or. enter a single port or port range. See Creating Outbound Access Policies for Traffic from Sources and/or Destinations on page 77 for information on the settings available. . When prompted. Editing a Policy To edit a policy: 1 On the Networking > Outgoing > Policies page. 5 Place the policy where it is required by selecting it and using Up or Down. 2 78 Rejection logging Select to log all traffic rejected by the external services rule Stealth mode Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs. 3 Click Save changes to apply the changes and close the dialog box. port range or group of ports. In the Add a new rule area: Setting Description Destination IP Enter the IP address of the external service to which the rule applies. To create an external service rule: 1 Navigate to the Networking > Outgoing > External services page and configure the following settings: Setting Description Service Select Empty from the drop-down list. to specify a user defined port. You can prevent local network hosts from using external services by creating appropriate policies to stop outbound traffic. For example: 1000:1028 covers the range of ports from 1000 to 1028.Managing Inbound and Outbound Traffic Managing External Services 4 Click Add. Managing External Services Note: The External services page has been superseded by the functionality on the Networking > Outgoing > Policies page and has been deprecated. Deleting a Policy To delete a policy: 1 On the Networking > Outgoing > Policies page. Click Save. Service rule name Enter a name for the rule. or by dragging the rule to the correct position and clicking Save moves. Port ranges are specified using an A:B notation. click Delete to confirm that you want to delete the policy. Note: Once traffic matches a policy. Service From the drop-down menu. Protocol Select the protocol used by the service. point to the rule and select Edit. Advanced Firewall does not apply any further policy matching. The policy is added to the list of sources and destinations.

79 . Enabled Select to enable the rule. use Edit and Remove in the Current rules area. Click Add.Smoothwall Advanced Firewall Administrator’s Guide 3 Setting Description Comment Enter a description of the rule. The external service rule is added to the Current rules region: Editing and Removing External Service Rules To edit or remove existing external service rules.

Managing Inbound and Outbound Traffic Managing External Services 80 .

For information on using a portal. see the Advanced Firewall Portal User’s Guide. see Chapter 10. Working with Portals Advanced Firewall enables you to create portals which can be configured to make reports and software downloads available and enable users with the correct privileges to ban other users or locations from web browsing.Chapter 8 Advanced Firewall Services In this chapter: • Working with portals • Managing the Web Proxy Service on page 87 • Instant Messenger Proxying on page 93 • Monitoring SSL-encrypted Chats on page 96 • SIP Proxying on page 96 • FTP Proxying on page 99 • Reverse Proxy Service on page 102 • SNMP on page 104 • DNS on page 105 • Censoring Message Content on page 109 • Managing the Intrusion System on page 114 • DHCP on page 119 For information on authentication services. Authentication and User Management on page 193. Creating a Portal The following section explains how to create a portal and make it accessible to users in a specific group. 81 .

Advanced Firewall creates the portal and makes it accessible on your Advanced Firewall system at.72.168.Advanced Firewall Services Working with Portals To create a user portal and make it available to users: 1 Browse to the Services > User portal > Portals page. 82 .141/portal/ 3 Browse to the Services > User portal > Groups page. enter a name for the portal and click Save. 2 In the Portals area. for example: http:// 192.

manage web access and display reports. 4 Click Close to close the dialog box.Smoothwall Advanced Firewall Administrator’s Guide 4 5 Configure the following settings: Setting Description Group From the drop-down menu. Advanced Firewall will display the most often viewed reports. download VPN client files and receive a custom welcome message. see Chapter 5. 7 Browse to the bottom of the page and click Save to save the settings and make the reports available on the portal. in the Portals area. select the portal you want the group to access. Advanced Firewall authorizes the group to use the portal. Portal From the drop-down menu. Enabling the Policy Tester The policy tester enables portal users to test if a URL is accessible to a user at a specific location and time. select the group containing the users you want to authorize to use the portal. locate the report you want to publish on a portal. select the portal where you want to publish the report and click Add. click Portal Access. select the number of reports you want to display on the portal’s home page. It also enables them to request that content reported by the tool as blocked be unblocked by Advanced Firewall’s system administrator. Top reports displayed on portal home page From the drop-down list. select the portal on which you want to make reports available and click Select. block other users from accessing the web. For more information on users and groups. 5 Browse to the Services > User portal > Portals page and. For more information. A dialog box containing report details opens. Configuring a Portal The following sections explain how to configure a Advanced Firewall portal so that authorized users can view reports. Click Add. Making Reports Available To make reports available on a portal: 1 Browse to the Logs and reports > Reports > Reports page. The next step is to configure the portal to enable authorized users to use it to download files. configure the following settings: Setting Description Enabled Select Enabled. 2 On the Permissions tab. 83 . configure the following settings: 6 Setting Description Portals From the drop-down list. see Chapter 10. Using the Policy Tester on page 58. 3 From the Add access drop-down list. Managing Groups of Users on page 216. enable the policy tester. In the Portal published reports and templates area.

in the list of groups displayed. 3 Browse to the bottom of the page and click Save to save the settings. configure the following settings: Setting Description Enabled Select Enabled. Allow unblock requests Select to allow portal users to send an unblock request to Advanced Firewall’s system administrator. .Advanced Firewall Services Working with Portals To enable the policy tester: 1 2 Browse to the Services > User portal > Portals page and configure the following setting: Setting Description Policy tester Select Enabled. Enabling Groups to Block Location-based Web Access You can enable users in a specific group which can access a Advanced Firewall portal to block specific locations from accessing the other networks or external connections. configure the following settings: Setting Description Portals From the drop-down list. select the portal on which you want to enable groups to block users. Allow control of groups Select this option and. To authorize blocking: 1 2 Browse to the Services > User portal > Portals page and. in the Portals area. in the Portals area. To enable a group to block users: 1 2 84 Browse to the Services > User portal > Portals page and. Administrator's email address Enter the email address to send the unblock request to. hold down the Shift key while selecting. Browse to the bottom of the page and click Save to save the settings. To select consecutively listed groups. configure the following settings: Setting Description Enabled Select Enabled. Working with Location Objects on page 39. To select non-consecutively listed groups. hold down the Ctrl key while selecting. select the portal on which you want to authorize groups to block users. In the Portal permissions for web access blocking. see Chapter 5. Enabling Groups to Block Users’ Access You can enable users in a specific group which can access the portal to block individual user web access. For information on locations. configure the following settings: Setting Description Portals From the drop-down list. select the group(s) containing the users that the group is authorized to block from accessing the web. In the Portal permissions for web access blocking.

To display a welcome message on a portal: 1 Browse to the Services > User portal > Portals page and. Virtual Private Networking on page 127 for information on how to create the archive. enter a welcome message and/or any information you wish the user to have. To make the archive available: 1 In the VPN connection details area. Making the SSL VPN Client Archive Available You can configure Advanced Firewall portals to make an SSL VPN client archive available for download on the portal. Advanced Firewall will allow members of the group to access the specified portal. configure the following settings: Setting Description Welcome message Select to display the message on the portal. 2 Browse to the bottom of the page and click Save to save the settings. 2 Browse to the bottom of the page and click Save to save the settings. Click Add. for example regarding acceptable usage of the portal. To select consecutively listed locations. in the Welcome message area. This setting overrides group settings. select SSL VPN client archive download. hold down the Ctrl key while selecting. Assigning Groups to Portals The following section explains how to assign a group of users to a portal so that they can access it. Managing Groups of Users on page 216. To assign a group to a portal: 1 Browse to the Services > User portal > Groups page. select the portal you want the group to access. 85 . In the text box.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Allow control of locations Select this option and. Portal From the drop-down menu. in the list of locations displayed. 2 Configure the following settings: 3 Setting Description Group From the drop-down menu. see Chapter 10. Configuring a Welcome Message Advanced Firewall enable you to display a customized welcome message when a user visits a portal. See Chapter 9. 3 Browse to the bottom of the page and click Save to save the settings. For more information on groups. Making User Exceptions You can configure Advanced Firewall so that a user uses a specific portal. To select non-consecutively listed locations. hold down the Shift key while selecting. select the group you want to allow access to the portal. select the location(s) that the group is authorized to block from accessing the web.

Editing Portals The following section explains how to edit a portal. see the Advanced Firewall Portal User Guide. Deleting Portals The following section explains how to delete a portal.168.141/portal/ 2 Accept any certificate and other security information. The portal is displayed.Advanced Firewall Services Working with Portals To make user exceptions on a portal: 1 Browse to the Services > User portal > User exceptions page. 3 Enter a valid username and password and click Login. Advanced Firewall gives the user access to the portal. 2 From the Portals drop-down list. Accessing Portals The following section explains how to access a portal. Click Add.72. select the portal you want the user to access. To access a portal: 1 In the browser of your choice. enter the URL to the portal on your Advanced Firewall system. For more information. 2 Configure the following settings: 3 Setting Description Username Enter the username of the user you want to access the portal. for example: http://192. 86 . 4 Click Save to save the changes. 3 Make the changes you require. select the portal you want to edit. To edit a portal: 1 Browse to the Services > User portal > Portals page. Advanced Firewall displays the login page for the portal. Portal From the drop-down list. see Configuring a Portal on page 83 for information on the settings available.

Smoothwall Advanced Firewall Administrator’s Guide To delete a portal: 1 Browse to the Services > User portal > Portals page 2 From the Portals drop-down list. Advanced Firewall deletes the portal. 87 . select the portal you want to delete. 3 Click Delete. Managing the Web Proxy Service Advanced Firewall’s web proxy service provides local network hosts with controlled access to the Internet with the following features: • Transparent or non-transparent operation • Caching controls for improved resource access times • Support for automatic configuration scripts • Support for remote proxy servers.

Advanced Firewall Services Managing the Web Proxy Service Configuring and Enabling the Web Proxy Service To configure and enable the web proxy service: 1 88 Navigate to the Services > Proxies > Web proxy page. .

The default is no limit. This can be used to prevent excessive and disruptive download activity. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. or accept the default value. Objects smaller than the specified size will not be cached. Larger cache sizes can be specified. Min object size Specify the smallest object size that will be stored in the proxy cache. the cache can dramatically improve access to recently visited pages. Max object size Specify the largest object size that will be stored in the proxy cache. enter the IP address of a remote proxy in the following format: hostname:port In most scenarios this field will be left blank and no remote proxy will be used. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users. Used to configure the web proxy to operate in conjunction with a remote web proxy. Objects larger than the specified size will not be cached. Max incoming size Specify the maximum amount of inbound data that can be received by a browser in any one request. Remote proxy Optionally. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers. Remote proxy password Enter the remote proxy password when using a remote proxy with user authentication. This limit is independent of whether the data is cached or not. Remote proxy username Enter the remote proxy username if using a remote proxy with user authentication. to allocate to the web proxy service for caching web content. The cache size should be configured to an approximate size of around 40% of the system’s total storage capacity. 89 . This can be used to prevent large uploads or form submissions. For slower external connections such as dial-up. but may not be entirely beneficial and can adversely affect page access times.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Control Description Cache size Enter the amount of disk space. up to a maximum of around 10 gigabytes – approximately 10000 megabytes for a high performance system with storage capacity in excess of 25 gigabytes. This can be useful for preventing large numbers of tiny objects filling the cache. The default is no limit. This prevents large downloads filling the cache. Max outgoing size Specify the maximum amount of outbound data that can be sent by a browser in any one request. in MBytes. The specified size must not exceed the amount of free disk space available. Web and FTP requests are cached. The default is no minimum – this should be suitable for most purposes. HTTPS requests and pages including username and password information are not cached.

or other non-standard HTTP and HTTPS services. through the proxy. No user Select to allow users to globally access the web proxy service without authentication authentication. Enabled Select to enable the web proxy service. Core Select to allow users to access the web proxy service by asking the authentication authentication system whether there is a known user at a particular IP address. When operating in transparent mode. Enter domain names without the www. see About Web Proxy Methods on page 91. Exception local IP addresses Enter any IP addresses on the local network that should be completely exempt from authentication restrictions. Groups Authenticated users can be selectively granted or denied access to the web allowed to use proxy service according to their authentication group membership. proxy server settings (IP address and port settings) must be configured in all browsers. Note: You can only use proxy authentication if the proxy is operating in nontransparent mode. prefix. it is possible to partially bypass the admin access rules on the System > Administration > Admin options page. Do not cache Enter any domains that should not be web cached. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned. This would allow internal network hosts to access the admin logon prompt via the proxy. This can be used to ensure that old content of frequently updated web sites is not cached. Allow admin port access Select to permit access to other network hosts over ports 81 and 441. network hosts and users do not need to configure their web browsers to use the web proxy. Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access. If the user has not been authenticated by any other authentication mechanism. All requests are automatically redirected through the cache. This is useful for accessing remote a Smoothwall System. 90 . Note: By selecting this option. In normal circumstances such communication would be prevented. web proxy Proxy access permissions are only applied if an authentication method other than No user authentication has been selected. For more information. Proxy Select to allow users to access the web proxy service according to the username authentication and password that they enter when prompted by their web browser. Banned local IP addresses Enter any IP addresses on the local network that are completely banned from using the web proxy service. In nontransparent mode. one entry per line. The username and password details are encoded in all future page requests made by the user's browser software. This can be used to prevent network hosts from browsing without using the proxy server. Disable proxy logging Select to disable the proxy logging. the user’s status is returned by the authentication system as unauthenticated.Advanced Firewall Services Managing the Web Proxy Service Control Description Transparent Select to enable transparent proxying.

Note: Restarting may take up to a minute to complete. end-user browsing will be suspended and any currently active downloads will fail. Tests by Smoothwall indicate a number of intermittent issues regarding the browser’s implementation of this feature. Manual web After enabling and restarting the service. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings. The web proxy will be restarted with any configuration changes applied. settings Interfaces 3 Select the interface for the web proxy traffic. all end-user browsers on local workstations in Advanced Firewall network zones must be configured. It is a good idea to a restart when it is convenient for the proxy end-users. script address Note: Microsoft Internet Explorer provides only limited support for automatic configuration scripts. Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. This is useful for internal web servers such as a company intranet server. If you are having problems with transparent proxying. the proxy address and port settings to browser proxy be used when manually configuring end-user browsers are displayed here.Smoothwall Advanced Firewall Administrator’s Guide Control Description Automatic configuration script custom direct hosts Enter any additional hosts required to the automatic configuration script’s list of direct (non-proxy routing) hosts. 91 . Smoothwall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality. all HTTP port 80 requests will be automatically redirected through the proxy cache. check that the following settings are not configured in end-user browsers: • Automatic configuration • Proxy server. During this time. Note: Save and Restart with cleared cache – Used to save configuration changes and empty the proxy cache of all data. Non-Transparent Proxying If Advanced Firewall’s web proxy service has not been configured to operate in transparent mode. Transparent Proxying If Advanced Firewall's web proxy service has been configured to operate in transparent mode. Note: Browsers must be configured to access the automatic configuration script to receive this list of direct routing hosts Use automatic After enabling and restarting the service. This is useful when cache performance has been degraded by the storage of stale information – typically from failed web-browsing or poorly constructed web sites. the automatic configuration script configuration location is displayed here. About Web Proxy Methods The following sections discuss the types of web proxy methods supported by Advanced Firewall.

3 Click Advanced to access more settings. 4 In the Exceptions area. • WPAD automatic script – Browsers are configured to automatically detect proxy settings and a local DNS server or Advanced Firewall static DNS has a host wpad.Advanced Firewall Services Managing the Web Proxy Service You can configure browser settings: • Manually – Browsers are manually configured to enable Internet access. your intranet or local wiki. select Use a proxy server for your LAN … 2 Enter your Advanced Firewall's IP address and port number 800. enter the IP address of your Advanced Firewall and any other IP addresses to content that you do not want filtered. proxy. Configuring End-user Browsers The following steps explain how to configure web proxy settings in the latest version of Internet Explorer available at the time of writing. 2 On the Connections tab. The configuration script is automatically generated by Advanced Firewall and is accessible to all network zones that the web proxy service is enabled on. 4 Click OK and OK to save the settings. • Automatically using a configuration script – Browsers are configured to receive proxy configuration settings from an automatic configuration script. 3 Configure the following settings: Method: To configure: Manual 1 In the Proxy server area. for example: http://192. This information is displayed on the Services > Proxies > Web proxy page. . in the Automatic configuration script area. click LAN settings. The location is displayed on the Services > Proxies > Web proxy page.pac. select Internet Options. for example. and from the Tools menu. Enter the location of the script. 1 Automatic configuration script 2 In the Automatic configuration area. 5 Click OK and OK to save the settings.168. 92 3 Ensure that no other proxy settings are enabled or have entries.pac.YOURDOMAINNAME added.141/ proxy. select Use automatic configuration script.72. To configure Internet Explorer: 1 Start Internet Explorer. in the Automatic configuration script area.

add the host wpad. However.Smoothwall Advanced Firewall Administrator’s Guide Method: To configure: WPAD Note: This method is only recommended for administrators familiar with configuring web and DNS servers. using SSL Intercept. 1 In the Automatic configuration area. select Automatically detect settings. such as when Microsoft MSN connects through an HTTP proxy. Note: PCs will have had to be configured with the same domain name as the A record for it to work. 3 On a local DNS server or using Advanced Firewall static DNS. Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad. 93 . Instant Messenger Proxying Advanced Firewall’s Instant Messenger (IM) proxy service can log the majority of IM traffic. Neither can Advanced Firewall intercept conversations which are secured by end-to-end encryption. Advanced Firewall can also censor instant messaging content. See the article for more information. They suggest that you should use a DHCP auto-discovery method using a PAC file.ca/otr/). When enabled in end-user browsers. The host must resolve to the Advanced Firewall IP. The file tells the browser what proxy settings it should use. Note: Advanced Firewall cannot monitor IM sessions within HTTP requests. However. for more information. see Censoring Message Content on page 109. Microsoft Knowledge Base article Q252898 suggests that the WPAD method does not work on Windows 2000.YOURDOMAINNAME substituting your domain name. such as provided by Off-the-Record Messaging (http:// www. This is contrary to some of our testing.dat file. Advanced Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL. 2 Click OK and OK to save the settings.cypherpunks. see below.

. 2 Configure the following settings: 94 Setting Description Enabled Select to enable the instant messaging proxy service.Advanced Firewall Services Instant Messenger Proxying To configure the instant messaging proxy service: 1 Browse to the Services > Proxies > Instant messenger page.

Currently. for example JohnDoe@hotmail. White-list users To whitelist a user. Automatic whitelisting Settings here enable you to control who can instant message your local users. Hide conversation text Select this option to record instant message events. for example JaneDoe@hotmail. Block all filetransfers Select this option to block file transfers using certain IM protocols. enter a message to display informing users that their conversations are being logged. MSN Select to proxy and monitor Microsoft Messenger conversations. this setting blocks files transferred using MSN. Black-list users To blacklist a user. Logging warning response Select to inform IM users that their conversation is being logged. 95 . see Censoring Message Content on page 109. Once added to the white-list. the remote user and the local use can instant message each other freely. ICQ. enter their instant messaging ID. this message is displayed at 15 minute intervals. Advanced Firewall censors unsuitable words by replacing them with *s. Logging warning response message Optionally. Intercept SSL Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled.com. Blocked response Select to inform IM users that their message or file transfer has been blocked. If multiple messages or files are blocked.com. AIM and Yahoo IM protocols. Blocked response message Optionally. Number of current entries – Displays the number of entries currently in the whitelist user list. enter their instant messaging ID. This message is displayed once a week. This option does not work with the ICQ/AIM protocol. AIM and ICQ Select to proxy and monitor ICQ and AIM conversations. Enabled on interfaces Select the interfaces on which to enable IM proxying. or accept the default message. When this option selected. Note: This option does not work with the ICQ/AIM protocol. Jabber Select to proxy and monitor conversations which use the Jabber protocol. Yahoo Select to proxy and monitor Yahoo conversations. For more information.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Enable Message Censor Select to enable censoring of words usually considered unsuitable. such as messages in and out. Clear Automatic Whitelisted user list – Click to clear the white-list. GaduGadu Select to proxy and monitor GaduGadu conversations. when enabled. Block unrecognized remote users – Select this option to automatically add a remote user to the white-list when a local user sends them an instant message. enter a message to display when a message or file is blocked. but to discard the actual conversation text before logging. For more information. any remote users who are not on the white-list are automatically blocked. see Monitoring SSL-encrypted Chats on page 96.

allowing VoIP products to work correctly. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. as such. enter them here.Advanced Firewall Services Monitoring SSL-encrypted Chats 3 Setting Description Exception local IP addresses To exclude specific IP addresses. 2 Select Intercept SSL. Note: Using Network Guardian to monitor SSL-encrypted IM chats reduces security on IM clients as the clients are unable to validate the real IM server certificate. Advanced Firewall generates a Advanced Firewall CA certificate. For full information on the settings available. it is an RealTime Protocol (RTP) session that is set up. Advanced Firewall’s SIP proxy is also able to proxy RTP traffic. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. others will allow for two proxies. is not NAT friendly. SIP Proxying Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. 96 . For this reason. one to which the client will register. and it is the RTP stream that carries voice data. solving some of the problems involved in setting up VoIP behind NAT. Types of SIP Proxy There are two types of SIP proxy: a registering SIP proxy. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by external users. Click Save to save and implement your settings. RTP operates on random unprivileged ports. Some clients will allow users to configure one SIP proxy – this is invariably the registering proxy. a pass-through. select the interfaces on which to enable the monitoring and click Save. Enable IM proxying and configure the settings you require. 4 Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. Monitoring SSL-encrypted Chats Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for encryption. and a pass-through proxy. and is used to set up sessions between two parties. SIP normally operates on port 5060. and one which the client users for access. Advanced Firewall’s SIP proxy ensures that RTP is also proxied. To monitor SSL-encrypted conversations: 1 Browse to the Services > Proxies > Instant messenger page. and. In the case of VoIP. see Instant Messenger Proxying on page 93. 3 Click Export Certificate Authority certificate. Advanced Firewall will now monitor and log the chats.

Smoothwall Advanced Firewall Administrator’s Guide Choosing the Type of SIP Proxying As with many types of proxy. Setting the maximum number of clients is a useful way to prevent malicious internal users performing a DoS on your registering proxy. Log calls Select if you require individual call logging. so a mixture of operation is possible. If the proxy is operating in transparent mode. transparent mode is not required. This is the interface on which you will place your SIP clients. Logging Select the logging level required. errors and informational messages Very detailed – Everything. Configuring SIP To configure and enable the SIP proxy: 1 Browse to the Services > Proxies > SIP page. select the interface for the SIP proxy to listen for connections on. 2 Configure the following settings: Setting Description Enabled Select to enable the SIP proxy service. In transparent mode. the proxy is only useful as a pass-through. If all your clients can be properly configured with a second proxy. Maximum number of clients Select the maximum number of clients which can use the proxy. 97 . This mode is useful for those clients which do not support a second proxy within their configuration. SIP client internal interface From the drop-down list. including debugging messages. the SIP proxy can be used in transparent mode. the non-transparent proxy is still available. Select from: Normal – Just warnings and errors Detailed – Warnings.

as it may occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. the existing users may fail to use the transparent proxy until the firewall is rebooted. traffic passing through the firewall may be prioritized to give a consistent call quality to VoIP users. This is due to the in-built connection tracking of the firewall’s NAT. 98 . such as that at your ISP. Transparent The SIP proxy may be configured in both transparent and non-transparent mode. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. if it is installed. This traffic can be traffic shaped with SmoothTraffic. Other marks may be interpreted by upstream networking equipment. In this way. The standard mark is BE which is equivalent to doing nothing. the SIP proxy is not used as a registrar. Click Save to enable and implement SIP proxying. Note: If a client is using the proxy when transparent proxying is turned on. This is useful because it is otherwise quite tricky to define RTP traffic. select a Diffserv mark to apply to SIP RTP packets. When operating transparently.Advanced Firewall Services SIP Proxying Setting Description Diffserv mark for RTP packets From the drop-down menu. but will allow internal SIP devices to communicate properly with an external registrar such as an ITSP. Exception IPs 3 Hosts which should not be forced to use the transparent SIP proxy must be listed in the Exception IPs box below. and can also be acted upon by SmoothTraffic. Select this option if you require a transparent SIP proxy. Smoothwall’s Quality of Service (QoS) module if it is installed.

See Chapter 13. 99 . Proxy port From the drop-down list. 1 Browse to the Services > Proxies > FTP page. 2 Configure the following settings: Setting Description Status Select Enabled to enable the FTP proxy. select the port for FTP traffic. You configure this on the System > Administration > External access page. files larger than 100 MB are not scanned for malware. Configuring External Access on page 273 for more information. Configuring non-Transparent FTP Proxying The following section explains how to configure FTP proxying in non-transparent mode. Note: For performance reasons. Note: The port you select must be open for the FTP client.Smoothwall Advanced Firewall Administrator’s Guide FTP Proxying Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent proxying possible. Anti-malware scanning Select to scan files for malware.

company. all hostnames on all ports will be accessible. See Configuring non-Transparent FTP Proxying on page 99 for more information.Advanced Firewall Services FTP Proxying Setting Description Access control Allow connections to Select to allow FTP connections to all servers. any server Only connections to specified servers Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list – Enter the hostname or IP address of any remote FTP servers you want to white-list. 4 Configure FTP clients as follows: Setting Description Remote host Enter Advanced Firewall’s hostname or IP address.com or 1. Remote port Enter the FTP proxy port configured on Advanced Firewall.4 If no information is listed.3. for example: ftp. .2. colon and port per line. Enter one hostname or IP. 3 Click Save changes to save the settings and enable non-transparent FTP proxying. Remote username Enter the username in the following format: remoteusername@remoteftpserver Configuring Transparent FTP Proxying To configure transparent FTP proxying: 1 100 Browse to the Services > Proxies > FTP page. either 21 or 2121.

Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Status Select Enabled to enable the FTP proxy. for example: 1. Access control Allow connections to Select to allow FTP connections to all servers.2. 3 In the Transparent proxy settings area. Anti-malware scanning Select to scan files for malware.2. for example: ftp.3. colon and port per line. for example: 1. See Chapter 13.3. Enter one hostname or IP. Enter one IP address per line. any server Only connections to specified servers Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list – Enter the hostname or IP address of any remote FTP servers you want to white-list. Proxy port From the drop-down list.3. files larger than 100 MB are not scanned for malware. configure the following settings: Setting Description Source IPs Transparently proxy all IPs Select to transparently FTP proxy for all source IPs. Note: The port you select must be open for the FTP client. Transparently proxy only the following IPs Select to transparently FTP proxy for the source IPs specified.com or 1.company. You configure this on the System > Administration > External access page.4 101 . select the port for FTP traffic. Configuring External Access on page 273 for more information.4 Transparently proxy all except the following IPs Select to transparently FTP proxy all except the source IPs specified. Note: For performance reasons.4 If no information is listed. Enter the IP addresses of local machines which are to be allowed access to transparent FTP proxying. Enter the IP addresses of local machines which are to be excluded from transparent FTP proxying. all hostnames on all ports will be accessible. Enter one IP address per line.2.

2. 102 . • Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA) and Outlook Anywhere (previously RPC over HTTPS) • Monitors traffic passing through the reverse proxy • Increases server efficiency by SSL off-loading.3. Reverse Proxy Service Advanced Firewall’s reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network.Advanced Firewall Services Reverse Proxy Service Setting Description Destination IPs Transparently proxy all IPs Select to transparently FTP proxy for all destination IPs. When running Advanced Firewall’s FTP proxy in transparent mode. for example: 1.4 Transparent proxy interfaces 4 Select the interface on which to transparently proxy FTP traffic. Enter one IP address per line.4 Transparently proxy all except the following IPs Select to transparently FTP proxy all except the destination IPs specified. for example: 1. Click Save changes to save the settings and enable transparent FTP proxying. Enter one IP address per line.2. • Improves web server security using intrusion prevention system (IPS). The reverse proxy service: • Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers. you do not need to configure FTP client applications.3. Enter the IP addresses of the machines which are to be allowed access to transparent FTP proxying. Transparently proxy only the following IPs Select to transparently FTP proxy for the destination IPs specified. Enter the IP addresses of the machines which are to be excluded from transparent FTP proxying.

Tip: You can use the XCA certificate and key management client to import and export your SSL certificates and key files in any standard format. To enable. 103 . To upload a custom certificate and key: 1 Certificate – Click the Choose file/Browse button and browse to and select the certificate. 2 In the Global options area. Click Upload to upload the certificate. Note: The certificate and key files must be distinct and separate and they must be in the unencrypted PEM format. Select one of the following options to specify the SSL certificate to use: Built-in – Select this option to use Advanced Firewall’s built in SSL certificate. configure and deploy the reverse proxy service. Click Upload to upload the certificate. configure and deploy the reverse proxy service: 1 Navigate to the Services > Proxies > Reverse proxy page. configure the following settings: Setting Description Reverse proxy Select one of the following settings: Enable – Select to enable the service. SSL certificate The reverse proxy service caters for HTTPS sites using an SSL certificate. Disable – Select to disable the service.Smoothwall Advanced Firewall Administrator’s Guide Configuring the Reverse Proxy Service The following sections explain how to enable. Custom certificate – Select this option to upload a custom certificate and key file. 2 Key – Click the Choose file/Browse button and browse to and select the key.

1.168.1. The SNMP service allows all gathered management data to be queried by any 104 . 6 Repeat the steps above to enable.1. if a request does not match an address already configured.com and example. domain or IP address of the site you want to publish in the following format: http://example. Advanced Firewall’s SNMP service operates as an SNMP agent that gathers all manner of system status information.example.com/. e. unless you use a wildcard for the domain.1. click Advanced and configure the following settings: Setting Description Intrusion prevention Advanced Firewall’s intrusion prevention system (IPS) policies stop intrusions such as known and zero-day attacks. In SNMP terminology. see Managing the Intrusion System on page 114. https://www.example.com Internal address Enter the protocol with the IP address or IP address and port of the web server.com or http://example.1 or IP address and port. 192.168. You can also enter a path to the site you want to publish in the URL.168.com. http:// .example. specify it as: .168.com/path/ You must include http or https in the address. 5 Click Save. typically for centralized administrative purposes. External address Enter the URL. Advanced Firewall will default to 80 for HTTP sites and 443 for HTTPS sites. e. undesired access and denial of service. https://192. http:// 192.com. Click Save to save the global options.g. http://192. Advanced Firewall enables and deploys the reverse proxy service and lists it in the Rules area. of the web server to failback to.example. they are treated as distinct and separate sites. In the Manage rule area. description. SNMP Simple Network Management Protocol (SNMP) is part of the IETF’s Internet Protocol suite.1:1234. Advanced Firewall can be regarded as a managed device when the SNMP service is enabled.g. configure and deploy more rules. If no port is specified. Failback internal address 4 Enter the IP address.1. For more information. 192.1.168. configure the following settings: Setting Description Name Enter a descriptive name for the reverse proxy rule.g. It is used to enable a network-attached device to be monitored.1. e. including the following: • System name. Note: When configuring: www. location and contact information • Live TCP and UDP connection tables • Detailed network interface and usage statistics • Network routing table • Disk usage information • Memory usage information.Advanced Firewall Services SNMP 3 Optionally. this enables you to specify custom destination ports for various internal web servers. To use a wildcard. Select Enable apply to apply an enabled IPS policy.1:1234 A port number is optional on the internal address.

see Chapter 13. 3 Click Save. To enable and configure the SNMP service: 1 Navigate to the Services > SNMP > SNMP page. a third-party SNMP management tool is required. The default value public is the standard SNMP community. The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other. This allows the IP addresses of a named host to be resolved by its hostname. Configuring Administration and Access Settings on page 272. please refer to the product documentation that accompanies your preferred SNMP management tool. For specific details about how to view all the information made accessible by Advanced Firewall’s SNMP service. Note: To view information and statistics provided by the system's SNMP service. 105 . DNS The following sections discuss domain name system (DNS) services in Advanced Firewall. remote access permissions for the SNMP service must be configured. For further information.Smoothwall Advanced Firewall Administrator’s Guide SNMP-compatible NMS (Network Management System) devices. that is a member of the same SNMS community. Adding Static DNS Hosts Advanced Firewall can use a local hostname table to resolve internal hostnames. Note: Advanced Firewall itself can resolve static hostnames regardless of whether the DNS proxy service is enabled. Note: To access the SNMP service. 2 Select Enabled and enter the SNMP community password into the Community text field.

use Edit and Remove in the Current hosts area. 2 Configure the following settings: 3 Setting Description IP address Enter the IP address of the host you want to be resolved. Hostname Enter the hostname that you would like to resolve to the IP address. Editing and Removing Static Hosts To edit or remove existing static hosts. if an external connection is available.Advanced Firewall Services DNS To add a static DNS host: 1 Navigate to the Services > DNS > Static DNS page. local network hosts use Advanced Firewall as their primary DNS server to resolve external names. 106 . Enabled Select to enable the new host being resolved. The static host is added to the Current hosts table. in addition to any local names that have been defined in the Advanced Firewall’s static DNS hosts table. In this mode. Click Add. Enabling the DNS Proxy Service The DNS proxy service is used to provide internal and external name resolution services for local network hosts. Comment Enter a description of the host.

net zoneedit.org (Dynamic) dyndns. 107 .com Many of these service providers offer a free of charge.org hn.org (Static) dyns. Any such filtering would prevent SIP. Advanced Forward SRV & SOA records – Optionally.com ods. 2 Configure the following settings: 3 Setting Description Interfaces Select each interface that should be able to use the DNS proxy. in order to enable consistent routing to Advanced Firewall from the Internet. The following dynamic DNS service providers are supported: DNS service providers dhs.0.org easydns.org (Custom) dyndns. the system will use the DNS proxy for name resolution.cx no-ip.0.1 during the initial installation and setup process of Advanced Firewall.Smoothwall Advanced Firewall Administrator’s Guide To enable the DNS proxy service on a per-interface basis: 1 Navigate to the Services > DNS > DNS Proxy page. Kerberos and other services from functioning. basic service. Note: If the DNS proxy settings were configured as 127. The dynamic DNS service can operate with a number of third-party dynamic DNS service providers.org ez-ip.com dyndns. Dynamic host rules are used to automatically update leased DNS records by contacting the service provider whenever the system's IP address is changed by the ISP. Managing Dynamic DNS Advanced Firewall’s dynamic DNS service is useful when using an external connection that does not have a static IP. Click Save. select this setting to stop the DNS proxy from filtering out SRV & SOA records.

Editing and Removing Dynamic Hosts To edit or remove existing dynamic hosts. for example domain. The dynamic host will be added to the Current hosts table.Advanced Firewall Services DNS To create a dynamic host: 1 Navigate to the Services > DNS > Dynamic DNS page. To force an update: 1 108 Click Force update. use Edit and Remove in the Current hosts area. Username Enter the username registered with the dynamic DNS service provider. Click Add.org as the service provider.com and the system is behind a web proxy.org will both resolve to the same IP.com. 3 Domain Enter the domain registered with the dynamic DNS service provider. Note: This is not necessary when using dyndns.dyndns. . select your dynamic DNS service provider.org and sub. Forcing a Dynamic DNS Update The dynamic DNS service will update the DNS records for the host whenever the host’s IP address changes. Behind a proxy Select if your service provider is no-ip. However.dyndns. Enabled Select to enable the service. 2 Configure the following settings: Setting Description Service From the drop-down list. Password Enter the password registered with the dynamic DNS service provider.domain. Enable wildcards Select to specify that sub-domains of the hostname should resolve to the same IP address. Comment Enter a description of the dynamic DNS host. it must be selected from their web site. Hostname Enter the hostname registered with the dynamic DNS service provider. Note: This option cannot be used with no-ip. it may be necessary on some occasions to forcibly update the service provider's records.

Smoothwall Advanced Firewall Administrator’s Guide Note: Dynamic DNS service providers do not like updating their records when an IP address has not changed. see Creating Filters on page 111 • Configuring and deploying a policy consisting of a filter. To create a custom category: 1 Browse to the Services > Message censor > Custom categories page. a time period and level of severity. an action. 109 . Creating Custom Categories The following section explains how to create a custom category. Configuration Overview Configuring an message censor policy entails: • Defining custom categories required to cater for situations not covered by the default Advanced Firewall phrase lists. modify. see Creating and Applying Message Censor Policies on page 113. for more information. see Setting Time Periods on page 110 • Configuring filters which classify messages by their textual content. edit and delete custom categories. block and/or log content in messages. and may suspend the user accounts of users they deem to be abusing their service. for more information. Managing Custom Categories Custom categories enable you to add phrases which are not covered by the default Advanced Firewall phrase lists. The following sections explain how to create. Censoring Message Content Advanced Firewall enables you to create and deploy policies which accept. for more information. see Creating Custom Categories on page 109 • Configuring time periods during which policies are applied.

click Add to save your changes. Advanced Firewall uses ‘fuzzy’ matching to take into account that number of spelling mistakes or typographical errors when searching for a match. add. To delete custom categories: 1 Browse to the Services > Message censor > Custom categories page. per line. Advanced Firewall adds the custom category to the current categories list and makes it available for selection on the Services > Message censor > Filters page. in brackets. (example-approximate-phrase)(2) – For the number specified. 2 In the Current categories area. click Restart to apply the changes. Comment Optionally. select the category and click Edit. click Restart to apply the changes. enter a description of the category.Advanced Firewall Services Censoring Message Content 2 Configure the following settings: Setting Description Name Enter a name for the custom category. 3 Click Add. 110 . Setting Time Periods You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the week. 3 In the Phrases area. edit and/or delete phrases. When finished. select the category or categories and click Remove. Editing Custom Categories The following section explains how to edit a custom category. To edit a custom category: 1 Browse to the Services > Message censor > Custom categories page. 4 At the top of the page. using the format: (example-exact-phrase) – Advanced Firewall matches exact phrases without taking into account possible spelling errors. 3 At the top of the page. 2 In the Current categories area. Phrases Enter the phrases you want to add to the category. Deleting Custom Categories The following section explains how to delete custom categories. Enter one phrase.

Editing Time Periods The following section explains how to edit a time period. 111 . Comment Optionally. click Restart to apply the changes. Deleting Time Periods The following section explains how to delete time periods. select the period(s) and click Remove. 4 At the top of the page. see Creating Custom Categories on page 109. edit and delete filters. Creating Filters Advanced Firewall uses filters to classify messages according to their textual content. Name Enter a name for the time period. enter a description of the time period. You can also create custom categories of phrases for use in filters. To edit a time period: 1 Browse to the Services > Message censor > Time page. for more information. 2 In the Current time periods area. 2 In the Current time periods area. 2 Configure the following settings: 3 Setting Description Active from – to From the drop-down lists. set the time period.Smoothwall Advanced Firewall Administrator’s Guide To set a time period: 1 Browse to the Services > Message censor > Time page. edit the settings. To delete time periods: 1 Browse to the Services > Message censor > Time page. Click Add. Advanced Firewall supplies a default filter. 3 In the Time period settings. click Restart to apply the changes. select the time and click Edit. click Add to save your changes. Advanced Firewall creates the time period and makes it available for selection on the Services > Message censor > Policies page. You can create. 3 At the top of the page. When finished. Select the weekdays when the time period applies.

Advanced Firewall Services Censoring Message Content To create a filter: 1 Browse to the Services > Message censor > Filters page. Click Add. 2 Configure the following settings: 3 Setting Description Name Enter a name for the filter. Advanced Firewall creates the filter and makes it available for selection on the Services > Message censor > Policies page. Comment Optionally. To edit a filter: 1 Browse to the Services > Message censor > Filters page. 3 At the top of the page. 2 In the Current filters area. select the filter and click Edit. 4 At the top of the page. Editing Filters You can add. click Restart to apply the changes. Custom phrase list Select the categories you want to include in the filter. edit the settings. select the filter(s) and click Remove. 2 In the Current filters area. click Restart to apply the changes. 3 In the Custom phrase list area. When finished. change or delete categories in a filter. enter a description of the filter. click Add to save your changes. 112 . Deleting Filters You can delete filters which are no longer required. To delete filters: 1 Browse to the Services > Message censor > Filters page.

113 . From the drop-down list. For more information on filters. To create and apply a censor policy: 1 Browse to the Services > Message censor > Policies page. Censor – Content which is matched by the filter is masked but the message is delivered to its destination. See Chapter 12. Click Select to update the policy settings available. select one of the following actions: Block – Content which is matched by the filter is discarded. a time period and a level of severity. you can configure Advanced Firewall to send an alert if the policy is violated. select a time period to use. select one of the following options: IM proxy incoming – Select to apply the policy to incoming instant message content. select a filter to use. Comment Optionally.Smoothwall Advanced Firewall Administrator’s Guide Creating and Applying Message Censor Policies The following section explains how to create and apply a censor policy for message content. Log severity level Based on the log severity level. Time period From the drop-down menu. For more information on filters. Allow – Content which is matched by the filter is allowed and is not processed by any other filters. Action From the drop-down menu. enter a description of the policy. 2 Configure the following settings: Setting Description Service From the drop-down menu. see Creating Filters on page 111. see Setting Time Periods on page 110. select a level to assign to the content if it violates the policy. Filter From the drop-down menu. Configuring the Inappropriate Word in IM Monitor Alert on page 232 for more information. Enabled Select to enable the policy. an action. IM proxy outgoing – Select to apply the policy to outgoing instant message content. A policy consists of a filter. or accept the default setting. Categorize – Content which is matched by the filter is allowed and logged.

click Restart to apply the policy. Deleting Policies You can delete policies which are no longer required. Deploying Intrusion Detection Policies Advanced Firewall’s default policies enable you to deploy intrusion detection immediately to identify threats on your network. The default policies will change as emerging threats change and will be updated regularly. Advanced Firewall comes with a number of intrusion policies which you can deploy immediately. Advanced Firewall applies the policy and adds it to the list of current policies. Editing Polices You can add. Advanced Firewall can detect a vast array of wellknown service exploits including buffer overflow attempts. When finished. it is not possible to deploy Advanced Firewall intrusion prevention policies and run SmoothTraffic at the same time. change or delete a policy. 4 At the top of the page. All violations are logged and the logged data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs. 2 In the Current policies area. About the Default Policies By default. 3 Edit the settings as required. select the policy or policies and click Remove. port scans and CGI attacks. click Restart to apply the changes. click Restart to apply the changes. 2 In the Current policies area. select the policy and click Edit. at the top of the page. This limitation will be removed as soon as possible.Advanced Firewall Services Managing the Intrusion System 3 Click Add and. To delete policies: 1 Browse to the Services > Message censor > Services > Message censor > Policies page. see Creating and Applying Message Censor Policies on page 113 for information on the settings available. Contact your Smoothwall representative if you need more information. Managing the Intrusion System Advanced Firewall’s intrusion system performs real-time packet analysis on all network traffic in order to detect and prevent malicious network activity. To edit a policy: 1 Browse to the Services > Message censor > Policies page. 3 At the top of the page. 114 . click Add to save your changes. Note: Currently.

undesired access and denial of service. see Chapter 8. 2 In the Current IDS policies area. Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day attacks. it is not possible to deploy Advanced Firewall intrusion prevention policies and run SmoothTraffic at the same time. This limitation will be removed as soon as possible. select the interface on which you want to deploy the policy. Comment Enter a description for the policy Enabled Select this option to enable the policy. 3 Click Remove. select the policy you want to remove. Contact your Smoothwall representative if you need more information. Advanced Firewall deploys the policy and lists it in the Current IDS policies area.Smoothwall Advanced Firewall Administrator’s Guide To deploy an intrusion detection policy: 1 Browse to the Services > Intrusion system > IDS page. Advanced Firewall removes the policy. 3 Interface From the drop-down list. Click Add. See About the Default Policies on page 114 for more information on the policies available. 115 . Removing Intrusion Detection Policies To remove an intrusion detection policy from deployment: 1 Browse to the Services > Intrusion system > IDS page. Deploying Intrusion Prevention Policies Note: Currently. 2 Configure the following settings: Setting Description IDS Policy From the drop-down list. Creating Custom Policies on page 117. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network. select the policy you want to deploy.

Advanced Firewall Services Managing the Intrusion System To deploy an intrusion prevention policy: 1 Browse to the Services > Intrusion system > IPS page. Advanced Firewall removes the policy. 3 Comment Enter a description for the policy Enabled Select this option to enable the policy. 2 Configure the following settings: Setting Description IPS Policy From the drop-down list. select the policy you want to deploy. 116 . select the policy you want to remove. Creating Custom Policies on page 117. Click Add. 3 Click Remove. See About the Default Policies on page 114 for more information on the policies available. Removing Intrusion Prevention Policies To remove an intrusion prevention policy from deployment: 1 Browse to the Services > Intrusion system > IPS page. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network. see Chapter 8. Advanced Firewall lists the policy in the Current IPS policies area. 2 In the Current IPS policies area.

Advanced Firewall contains a number of policies which you can deploy to detect and prevent intrusions. 117 .Smoothwall Advanced Firewall Administrator’s Guide Creating Custom Policies By default. It is also possible to create custom policies to suit your individual network. To create a custom policy: 1 Browse to the Services > Intrusion system > Policies page.

Note: Use custom signatures with caution as Advanced Firewall cannot verify custom signature integrity. 118 . The policy is now available when deploying intrusion detection and intrusion prevention policies. Advanced Firewall creates the policy and lists it in the Current policies area. Signatures From the list. Click Add. 2 Configure the following settings: 3 Setting Description Name Enter a name for the policy you are creating. seeDeploying Intrusion Detection Policies on page 114 andDeploying Intrusion Prevention Policies on page 115. To upload custom signatures: 1 Navigate to the Services > Intrusion system > Signatures page.Advanced Firewall Services Managing the Intrusion System Tip: If the list of signatures takes some time to load. Uploading Custom Signatures Advanced Firewall enables you to upload custom signatures and/or Sourcefire Vulnerability Research Team (VRT) signatures and make them available for use in intrusion detection and prevention policies. Click Upload to upload the file. Advanced Firewall uploads the file and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. see Uploading Custom Signatures on page 118. For information on how to add custom signatures. 2 Configure the following settings: Setting Description Custom signatures Click Browse to locate and select the signatures file you want to upload. Comment Enter a description for the custom policy. select the signatures you want to include in the policy. For more information. try upgrading to the latest version of your browser to speed up the process.

Click Confirm. click Delete. For information on deploying intrusion policies. the signatures will be deleted from the policies. 3 Click Save. Advanced Firewall deletes the signatures. If there are detection or prevention policies which use custom signatures. Advanced Firewall downloads the signature set and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. Oink code If you have signed-up with Sourcefire to use their signatures. 119 . Deleting Custom Signatures It is possible to delete custom signatures that have been made available on the Services > Intrusion system > Policies page. Advanced Firewall will delete all custom signatures.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Use syslog for Intrusion logging Select this option to enable logging intrusion events in the syslog. Click Update to update and apply the latest signature set. DHCP Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. To delete custom signatures: 1 On the Services > Intrusion system > Signatures page. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion system > Policies page. enter your Oink code here. with the following capabilities: • Support for 2 DHCP subnets • Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet • Automate the creation of static assignments using the ARP cache. Advanced Firewall DHCP provides a fully featured DHCP server. see Deploying Intrusion Detection Policies on page 114 and Deploying Intrusion Prevention Policies on page 115. Note: If you choose to delete custom signatures. Note: Updating the signatures can take several minutes. 2 Advanced Firewall prompts you to confirm the deletion.

Click Save to enable the service. 2 Configure the following settings: 3 Setting Description Enabled Select to enable the DHCP service. 120 . Enable logging Select to enable logging. Each subnet can have a number of dynamic and static IP ranges defined. Relay (forwarding proxy) Select to set the DHCP service to operate as a relay. forwarding DHCP requests to another DHCP server. Server Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts.Advanced Firewall Services DHCP Enabling DHCP To enable DHCP: 1 Navigate to the Services > DHCP > Global page. Creating a DHCP Subnet The DHCP service enables you to create DHCP subnets.

Network Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. 121 .10. select Empty and click Select. Secondary DNS Optionally.Smoothwall Advanced Firewall Administrator’s Guide To create a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page.255.0.0.255. enter the value that a requesting network host will receive for the secondary DNS server it should use. 2 Configure the following settings: Setting Description DHCP Subnet From the drop-down menu. for example 255. For example: 192. Subnet name Enter a name for the subnet. Primary DNS Enter the value that a requesting network host will receive for the primary DNS server it should use.168. Netmask Define the subnet range by entering a network mask.

The default value is usually sufficient. Domain name suffix Enter the domain name suffix that will be appended to the requesting host's hostname. 122 . Optionally. This is often not required on very small Microsoft Windows networks. The default value is usually sufficient. impractically long DHCP leases. See Chapter 13. For more information. enter the value that a requesting network host will receive for the primary WINS server it should use. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts. enter the value that a requesting network host will receive for the secondary WINS server it should use.Advanced Firewall Services DHCP Setting Description Default gateway Enter the value that a requesting network host will receive for the default gateway it should use. Primary NTP Optionally. Setting Time on page 269 for more information. TFTP server Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Click Advanced to access the following settings: Primary WINS Optionally. Secondary WINS Optionally. see Creating Custom DHCP Options on page 125. Automatic proxy config URL Specify a URL which clients will use for determining proxy settings. enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature. Click Save. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. Setting Time on page 269 for more information. See Chapter 13. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. and being granted. Enabled Determines whether the DHCP subnet is currently active. This is often not required on very small Microsoft Windows networks. Tip: Secondary NTP Enter Advanced Firewall’s IP address and clients can use its time services if enabled. Note: For the DHCP server to be able to assign these settings to requesting hosts. Default lease time Enter the lease time in minutes assigned to network hosts that do not request (mins) a specific lease time. Custom DHCP options Any custom DHCP options created on the Services > DHCP > Custom options page are listed for use on the subnet. further configuration is required. 3 Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting. enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature. Network boot filename Specify to the network booting client which file to download when booting off the above TFTP server.

For example. 4 Comment Enter a description of the dynamic range.168. Enabled Select to enable the dynamic range. End address Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. Deleting a DHCP subnet To delete a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. enter 192. 3 In the Add a new dynamic range. Adding a Dynamic Range Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts. 2 From the DHCP Subnet drop-down list.10. select the subnet and click Select. 4 Click Save.Smoothwall Advanced Firewall Administrator’s Guide Editing a DHCP subnet To edit a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. Adding a Static Assignment Static assignments are used to allocate fixed IP addresses to nominated hosts. 3 Edit the settings displayed in the Settings area. The dynamic range is added to the Current dynamic ranges table. and click Select. This is done by referencing the unique MAC address of the requesting host’s network interface card. This address range should not contain the IPs of other machines on your LAN with static IP assignments. Click Add dynamic range. This is used to ensure that certain hosts are always leased the same IP address. and click Select. as if they were configured with a static IP address. 2 Choose an existing DHCP subnet profile from the DHCP subnet drop-down list. To add a static assignment to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. 2 From the DHCP Subnet drop-down list. 2 Choose an existing DHCP subnet from the DHCP subnet drop-down list.15. 123 . This address range should not contain the IPs of other machines on your LAN with static IP assignments. configure the following settings: Setting Description Start address Enter the start of an IP range over which the DHCP server should supply dynamic addresses from. select the subnet and click Select. 3 Click Delete. To add a dynamic range to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page.

5 Click Save. The static assignment is added to the Current static assignments table. use the options available in the Current dynamic ranges and Current static hosts areas. colon or other separator character between each pair. Comment Enter a description of the static assignment. To add a static assignment from the ARP cache to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. with a space. Viewing DHCP Leases To view free leases: 1 124 Navigate to the Services > DHCP > DHCP leases page. 2 Choose an existing DHCP subnet profile from the DHCP subnet drop-down list. it is possible to add static assignments automatically from MAC addresses detected in the ARP table. Click Add static.g. and click Select. Adding a Static Assignment from the ARP Table In addition to the previously described means of adding static DHCP assignments. 3 Scroll to the Add a new static assignment from ARP table area: 4 Select one or more MAC addresses from those listed and click Add static from ARP table. Editing and Removing Assignments To edit or remove existing dynamic ranges and static assignments.Advanced Firewall Services DHCP 3 Scroll to the Add a new static assignment area and configure the following settings: Setting Description MAC address Enter the MAC address of the network host’s NIC as reported by an appropriate network utility on the host system. 12 34 56 78 9A BC or 12:34:56:78:9A:BC 4 IP address Enter the IP address that the host should be assigned. . This is entered as six pairs of hexadecimal numbers. e. Enabled Select to enable the assignment.

the IP address is reserved for the same MAC address or re-used if not enough slots are available. Hostname The hostname assigned to the network host that submitted a DHCP request. The following information is displayed: Field Description IP address The IP address assigned to the network host which submitted a DHCP request. currently leased. Start time The start time of the DHCP lease granted to the network host that submitted a DHCP request. Click Save. 125 . For example. 2 Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. End time The end time of the DHCP lease granted to the network host that submitted a DHCP request. Creating Custom DHCP Options Advanced Firewall enables you to create and edit custom DHCP options for use on subnets. State The current state of the DHCP lease. MAC address The MAC address of the network host that submitted a DHCP request.Smoothwall Advanced Firewall Administrator’s Guide 2 Select Show free leases and click Update. or Free. DHCP Relaying Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host. Note: DHCP relaying must be enabled on the Services > DHCP > Global page. that is. to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server. The state can be either Active. To configure DHCP relaying: 1 Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page.

select the code to use. with 252 excluded as it is already allocated. The codes available are between the values of 128 and 254. IP address – Select when creating an option which uses an IP address. 2 126 Description Enter a description for the option. Enabled Select to enable the option. 1 Configure the following settings: Setting Description Option code From the drop-down list. Option type From the drop-down list.Advanced Firewall Services DHCP To create a custom option: 1 Browse to the Services > DHCP > Custom options page. This description is displayed on the Services > DHCP > DHCP server page. enter any comments relevant to the option. select the option type. Comment Optionally. see Creating a DHCP Subnet on page 120. Click Add. For information on using custom options. Advanced Firewall creates the option and lists it in the Current custom options area. Text – Select when creating an option which uses text. .

The public network. Internal VPNs Support for VPNs routed over internal networks. in most cases. The most commonly deployed VPN protocol is called IPSec. a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. others are open standards. for IP Security. is a network route between computer networks. Some are wholly proprietary. Advanced Firewall VPN Features Advanced Firewall contains a rich set of Virtual Private Network (VPN) features: Feature Description IPSec site-to-site Industry-standard IPSec site-to-site VPN tunneling. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces.Chapter 9 Virtual Private Networking In this chapter: • All about Advanced Firewall. Self-signed certificates can be generated. the software is part of the Windows operating system. as well as others. L2TP road warriors Mobile user VPN support using Microsoft Windows 2000 and XP. IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote. Tunnel controls Individual controls for all VPN tunnels. SSL VPN Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the user’s computer/laptop. Authentication Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). Certificate management Full certificate management controls built into the interface. There are several technologies which implement VPNs. and is a well 127 . across a public network. with import and export capabilities in a number of formats. In a similar way to how a VPN can replace leased line circuits used to route networks together. or individual computers. What is a VPN? A VPN. VPNs and tunnels. Logging Comprehensive logging of individual VPN tunnels. as well as older versions of Windows. is the Internet. a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. in the broadest sense. Typically. No client software required. These types of connections are usually referred to as road warriors.

About VPN Gateways A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. A VPN gateway must perform a number of specific tasks: • Allow VPN tunnels to be configured. All data traversing the tunnel is encrypted. system or device. i. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. • Encrypt all data presented to the VPN tunnel into secure data packets. as published by the ITU-T and ISO standardization bodies. it is not readily determinable that either gateway is genuine. 128 . • Allow VPN tunnels to be managed.Virtual Private Networking About VPN Authentication established and open Internet standard. the remote gateway must be assured that the initiating gateway is not an imposter. X509 An industry strength and internationally recognized authentication method using a system of digital certificates. • Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel.e. see X509 Authentication on page 129. site-to-site VPNs. and generally all vendors of network security products will have an offering in their product portfolio. Administrator Responsibilities A network administrator has three responsibilities: • Specify the tunnel – define the tunnel on each VPN gateway. Advanced Firewall supports several authentication methods that can be used to validate a VPN gateway’s identity: Authentication method Pre-Shared Key Description Usually referred to as PSK. • Decrypt secure data received from the VPN tunnel. ensure it can be identified and trusted. For more information. or to connect mobile and home users. thus making the tunnel and its content unintelligible and therefore private to the outside world. • Route all data received from the tunnel to the correct computer on the LAN. see PSK Authentication on page 129. Since VPN gateways are not usually in the same physical location. this is a simplistic authentication method based on a password challenge. For more information. About VPN Authentication Authentication is the process of validating that a given entity. A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. Tunnels can be formed between two VPN gateways. road warriors. to their office network. that is a person. • Configure authentication – define a secure means for each VPN gateway to identify the other. is actually who or what it identifies itself to be. • Manage tunnels – control the opening and closing of tunnels. VPNs are mostly used to link multiple branch office networks together. Many implementations of this standard exist. • Authenticate the other end of a VPN connection. Conversely.

each gateway requests the other’s password. company name etc. Password protection is easily circumvented as passwords are frequently written down. trusted VPN tunnel can be established. PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. such a scheme is likely to prove unmanageable in the long run and liable to misuse. Hence. Some VPN configurations will also require multiple tunnels to use the same password – highly undesirable if your organization intends to create multiple road warrior VPN connections.e. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated. X509 Authentication In this model. in the same way that a government can be asked to validate a citizen's passport. a CA can be called upon to validate the authenticity of a certificate. However. all users of L2TP road warrior connections must enter a valid username and password. including recommendations for the usage of each. i. The simplicity of PSK is both its strength and its weakness. both gateways know that the other must be genuine. spoken aloud or shared amongst administrator colleagues. their country. X509 utilizes public-key cryptography. i. it is not yet clear whether the certificate is a forgery – to prove absolute authenticity. Certificates contain information about both its owner. during which time the certificate is valid. connecting VPN gateways are pre-configured with a shared password that only they know. the CA. A more in depth examination of the PSK and X509 authentication methods can be found in the following sections. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA). In the world of digital certificates. and contains the following information: Information Description Subject Information about who the certificate was issued to. just like a government is entrusted to provide its citizens with passports. the subject and its issuer. much like a traveler can present his or her passport. If the password received by each gateway matches the password stored by each gateway.Smoothwall Advanced Firewall Administrator’s Guide Authentication method Description Username/password In addition to using X509. referred to here as a certificate. About Digital Certificates A digital certificate. there are human and technological reasons that make this method unsuitable for larger organizations. Issuer Information about the CA that created and signed the certificate.e. 129 . Certificate ID An alternative identifier for the certificate owner in abbreviated form. each VPN gateway is given a digital certificate that it can present to prove its identity. is an electronic document that uniquely identifies its owner. each gateway is authentic and a secure. While PSK tunnels are quick to set up. While it is possible to create large VPN networks based entirely on PSK authentication. Validity period The start and expiry dates. When initiating a VPN connection. PSK Authentication To use the Pre-Shared Key (PSK) method. as specified when the L2TP tunnel definition is created.

see Creating a CA on page 131. these are the steps required to create a typical site-to-site VPN connection: 1 On the master Advanced Firewall system. • Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems. If the signature can be successfully decrypted and matches the issuer details declared in the certificate. To sign a certificate. 3 Install the master Advanced Firewall’s certificate as its default local certificate. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa. It is computationally infeasible to derive either key from the other. internal VPNs and management in great depth. this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature) before presenting the certificate. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key). This concept is exploited by CAs to sign all certificates they create. road warrior VPNs. The encrypted content is inserted into the certificate. For details. the certificate is proven to be authentic. • Create signed. create a local Certificate Authority. 130 . Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. This is solved by one further stage of encryption. the CA takes the content of the certificate and encrypts it using its private key. digital certificates can be leased from companies like Verisign or Thawte and then imported. this only proves that the CA genuinely issued the certificate. It is usual for a single CA to provide certificates for an entire network of peer systems. Alternatively. and the public key is freely accessible to all. Configuration Overview The following sections cover the separate topics of CAs. one called a private key and the other called a public key. much like a watermark or other security feature is added to a passport by a government. thus proving that the certificate is genuine. but there are alternative schemes that use multiple CAs which will be discussed later. site-to-site VPNs. If the private key is kept secret by its owner. digital certificates. Advanced Firewall and Digital Certificates Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system.Virtual Private Networking Configuration Overview Public-key cryptography is an encryption mechanism that involves the use of a mathematically related pair of encryption keys. The use of a local Advanced Firewall CA is recommended as a more convenient and equally secure approach. or they can be created by a separate CA such as the one included in Microsoft Windows 2000. Advanced Firewall enables you to: • Create a trusted CA. 4 Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. However. As an overview to these sections. any message successfully decrypted using the public key can only have originated from the private key owner. certificates. 2 Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system.

If you already have a CA on your network. 131 . see VPN Tutorials on page 178. 8 Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. in which case refer to Importing Another CA's Certificate on page 133. you require access to at least one CA. it may be useful to use that. as exported by step 5. Note: For VPN configuration tutorials. 10 Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. Configuring Inter-Zone Security on page 59. Creating a CA To create your own certificates for use in VPN tunnel authentication. This section explains how to create a CA using Advanced Firewall. 7 Import and install the remote Advanced Firewall system’s certificate. 6 Import the CA certificate on the remote Advanced Firewall system. For further information see Chapter 6. but this can be inconvenient and costly. It is possible to purchase certificates from an externally managed CA. They also explain how to export and import CA certificates so that a remote Advanced Firewall has knowledge of the CA. Working with Certificate Authorities and Certificates A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates. for the purpose of creating certificates for VPN tunnel authentication. A certificate created by a known CA can be authenticated as genuine. 9 Bring the connection up. Maintenance tasks such as how to delete CAs are also discussed.Smoothwall Advanced Firewall Administrator’s Guide 5 Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. The following sections explain how to create a local CA using Advanced Firewall. as exported by step 5.

Department Enter a departmental identifier. select the length of time that the CA will remain valid for.Virtual Private Networking Working with Certificate Authorities and Certificates To create a CA: 1 Navigate to the VPN > VPN > Certificate authorities page. Organization Enter an organizational identifier. Locality or town Enter a locality or town. You can also export the CA’s own certificate to other systems which can use it to authenticate digital certificates issued by the CA. Once a CA has been created. you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. There are two different export formats: 132 . enter the number of days the CA will be valid. User defined (days) If User defined is selected as the life time value of the CA. you can use it to create digital certificates for network hosts. Country Enter a two letter country code. Email Enter an administrative email address. The local CA is created and displayed. Exporting the CA Certificate Once a CA has been created. Life time From the drop-down menu. Click Create Certificate Authority. 2 Configure the following settings: Setting Description Common name Enter an easily identifiable name. 3 State or province Enter a state or province.

The following formats are available: CA certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. locate and select the local CA certificate. Importing Another CA's Certificate To authenticate a signed certificate produced by a non-local CA. 2 In the Delete local Certificate Authority region. Note: The certificate must be in PEM format to be imported. This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA. Select this format if the certificate is to be used on another Smoothwall System. 3 Locate and open the CA’s certificate that you wish to import. the Create local Certificate Authority region will be displayed. Export format From the drop-down list. click Browse. select Confirm delete. Consult the system’s documentation for more information. 3 Click Delete Certificate Authority. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The Create local Certificate Authority region replaces the Delete local Certificate Authority region.Smoothwall Advanced Firewall Administrator’s Guide To export the CA certificate: 1 Navigate to the VPN > VPN > Authorities page and configure the following settings: Setting Description Name In the Installed Certificate Authority certificates area. select the format in which to export the certificate authority’s certificate. You can deliver the certificate to another system without any special security requirements since it contains only public information. 2 In the Import Certificate Authority certificate area. Once the local CA has been deleted. Note: Deleting the local CA will invalidate all certificates that it has created. Deleting the Local Certificate Authority and its Certificate To delete the local CA and its certificate: 1 Navigate to the VPN > VPN > Authorities page. 4 Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority certificates list of certificates area. you must import the non-local CA’s certificate into Advanced Firewall. To import the CA's certificate: 1 Navigate to the VPN > VPN > Authorities page. select if the certificate is to be used on a system which requires this format. 133 . 2 Click Export and choose to save the file to disk from the dialog box launched by your browser. CA certificate in BIN – A binary certificate format.

Managing Certificates The following sections explain how to create.Virtual Private Networking Managing Certificates Deleting an Imported CA Certificate To delete an imported CA's certificate: 1 Navigate to the VPN > VPN > Authorities page. import. export and delete certificates in Advanced Firewall. you can generate certificates. The CA certificate will no longer appear in the Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it. and therefore requires its own certificate. all other Advanced Firewall systems. The first certificate created is usually for the Advanced Firewall system that the CA is installed on. .e. view. Creating a Certificate Once a local Certificate Authority (CA) has been created. 3 Click Delete. 2 Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. To create a new signed certificate: 1 134 Navigate to the VPN > VPN > Certificates page. It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways. This is because the Advanced Firewall VPN gateway is a separate entity to the CA. i.

select the length of time that the certificate will remain valid for. IP address – Recommended for site-to-site VPNs whose gateways use static IP addresses. This does not need to be a real email address. select the certificates’s ID type. For a site-to-site Advanced Firewall VPN this is typically a hostname. 3 Click the certificate name. Life time From the drop-down menu. User defined (days) If User defined is selected as the life time value of the certificate. To export a certificate: 1 Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area. This does not need to be a registered DNS name. Country Enter a two letter country code. Click Create signed certificate. Email Enter an email address for the individual or host system that will own this certificate. Locality or town Enter a locality or town for the certificate owner. Host & Domain Name – Recommended for most site-to-site VPN connections. for example Head Office. enter the number of days the certificate will be valid for. The certificate is listed in the Installed signed certificates area. Common name Enter a common name for the certificate. Email address – Recommended for road warrior or internal VPN connections. To review a certificate: 1 Navigate to the VPN > VPN > Certificates page. Organization Enter an organizational identifier for the certificate owner. 4 Close the browser window to return to Advanced Firewall. 3 State or province Enter a state or province for the certificate owner. Reviewing a Certificate You can review the content of a certificate. The options are: No ID – Not recommended but available for inter-operability with other VPN gateways. Department Enter a departmental identifier for the certificate owner. 135 . For a road warrior this is usually the user’s email address.Smoothwall Advanced Firewall Administrator’s Guide 2 Scroll to the Create new signed certificate area and configure the following settings: Setting Description ID type From the drop-down menu. The content is displayed in a new browser window. Exporting Certificates Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner. ID value Enter an ID value. although the use of a real email address is recommended. Reviewing certificates can be useful for checking certificate content and validity. 2 Locate the certificate that you wish to view in the Installed signed certificates region.

Choose to save the certificate file (a .p12 file) to disk in the dialog box launched by your browser software. 3 Enter and confirm a password in the Password and Again fields. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. In the Import certificates area. configure the following settings: Setting Description Password Enter the password that was specified when the certificate was created. Exporting in the PKCS#12 Format PKCS#12 is a container format used to transport a certificate and its private key.Virtual Private Networking Managing Certificates 2 Select the certificate you want to export and configure the following settings: Setting Description Export format From the drop-down menu. To export a certificate in the PKCS#12 container format: 1 Navigate to the VPN > VPN > Certificates page. Certificate in DER – A binary certificate format for use with non-Advanced Firewall VPN gateways.der file) to disk in the dialog box launched by your browser software. This is the normal process for secondary Advanced Firewall systems. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors.pem or . The PKCS#12 file will be saved to the browser's local file system. The following formats are available: Certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. Recommended for all Advanced Firewall to Advanced Firewall VPN connections. . Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. branch office systems connecting to a head office that has a Advanced Firewall system and CA. for example. 5 Choose to save the PKCS#12 container file (a . Importing a Certificate Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. Private key in DER – Exports just the private key in binary for use with nonAdvanced Firewall VPN gateways. To import a certificate: 1 136 Navigate to the VPN > VPN > Certificates page. locate and select the certificate that you wish to export. select the format in which to export the certificate. 2 In the Installed signed certificates region. 4 Click Export certificate and key as PKCS#12. The certificate will be saved to the browser’s local file system in the specified format. 3 Click Export.

locate and select the certificate that you wish to delete. Import PEM filename 1 2 To import a certificate in PEM format: Click Browse and navigate to and select the certificate file. Deleting a Certificate To delete an installed certificate: 1 Navigate to the VPN > VPN > Certificates page. 2 In the Installed signed certificates region.Smoothwall Advanced Firewall Administrator’s Guide Setting Import PKCS#12 filename Description To import a certificate in PKCS#12 format: 1 Click Browse and navigate to and select the certificate file. Setting the Default Local Certificate One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area. The default local certificate should be the certificate that identifies its host. 3 Click Delete. 2 Click Import certificate and key from PKCS#12. Click Import certificate from PEM. The signed certificate will be removed from the Installed signed certificates region. 137 .

select the host’s certificate from the Certificate drop-down list and click Save. unless otherwise specified. encrypted tunnel between head office and a branch office. the following settings are recommended for maximum security and optimal performance: 138 Setting Selection Encryption AES Authentication type ESP . 3 When prompted by Advanced Firewall. click Restart to deploy the certificate. Recommended Settings For Advanced Firewall to Advanced Firewall connections. 2 In the Default local certificate region. Site-to-Site VPNs – IPSec The following sections explain how to create a site-to-site VPN tunnel between two Advanced Firewall systems. This certificate will now be used by default in all future tunnel specifications. The tunnel will use the IPSec protocol to create a secure.Virtual Private Networking Site-to-Site VPNs – IPSec To set the default local certificate: 1 Navigate to the VPN > VPN > Global page.

Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. Local IP Enter the IP address of the external interface used on the local Advanced Firewall host. Setting Description Name Enter a descriptive name for the tunnel connection. Creating an IPsec Tunnel To create a site-to-site tunnel: 1 On the Advanced Firewall at head office. For Advanced Firewall to Advanced Firewall connections. see VPN Tutorials on page 178. for example: New York to London. for maximum compatibility with other VPN gateways. some settings may require adjustment. Enabled Select to enable the connection. For more VPN tutorials.Smoothwall Advanced Firewall Administrator’s Guide Setting Selection Hashing algorithm SHA Perfect Forward Secrecy Enabled Compression Enabled – unless predominant VPN traffic is already encrypted or compressed. browse to the VPN > VPN > IPSec subnets page. 139 . This section describes each parameter that can be configured when creating an IPSec tunnel. 2 Configure the following settings:. However. many settings can be left at their default values. Note: This field should usually be left blank to automatically use the default external IP (recommended).

Authenticate by From the drop-down list. e. 192. .g.255.255.168.0/255. Remote ID type From the drop-down menu. For more information on PSK and X509 authentication. In most cases. select the authentication method. e.10. User specified IP address – Uses a user specified IP address name as the local certificate ID. Remote IP or hostname Enter the IP address or hostname of the remote system. The choices available are: This is specified using the IP address/network mask format. User specified IP address – Allows the user to specify a custom IP address that it should expect the remote gateway to present as ID.Virtual Private Networking Site-to-Site VPNs – IPSec Setting Description Local network Specify the local subnet that the remote host will have access to.168.255. or any other form of presented ID User specified Host & Domain Name – Allows the user to specify a custom host and domain name that it should expect the remote gateway to present as ID. select the type of ID that the remote gateway is expected to present. Local ID value This field is only used if the local ID type is a User specified type (this is typically used when connecting to non-Advanced Firewall VPN gateways).0/255. Local ID type From the drop-down list. 192. User specified Certificate Subject – Uses a user specified certificate subject as the local certificate ID. select the type of the ID that will be presented to the remote system. 140 Remote ID value Enter the value of the ID used in the certificate that the remote peer is expected to present. Local IP – Uses the local IP address of the host as the local certificate ID. The choices are: This is specified using the IP address/network mask format. User specified Email address – Uses a user specified email address as the local certificate ID. User specified Certificate Subject – Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Advanced Firewall VPN gateways). About VPN Authentication on page 128. Note: User specified types are mostly used when connecting to non-Advanced Firewall VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting.255. User specified Host & Domain Name – Uses a user specified host and domain name as the local certificate ID.0. Remote IP (or ANY if blank Remote IP) – The remote ID is the remote IP address.20.0. Remote network This should specify the remote subnet that the local host will have access to. you can leave this field blank because its value will be automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). The remote IP can be left blank if the remote peer uses a dynamic IP address. Default local Certificate Subject – Uses the subject field of the default local certificate as the local certificate ID.g. User specified Email address – Allows the user to specify a custom email address that it should expect the remote gateway to present as ID.

Authentication type Select the authentication type used during the authentication process. uncompressed traffic compression is recommended. Recommended for optimal performance. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality. authenticity and integrity of messages. AH is not recommended. or VPN tunnels within tunnels may decrease performance. compression is not recommended. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. Because AH provides only authentication and not encryption. This is useful for low bandwidth connections.100 to Birmingham . PRIMARY means the connection will be on the external interface. ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. Interface Select which interface will be used for this connection either on external or internal interfaces. although they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections. For any tunnel with a high proportion of encrypted or already-compressed traffic. for example streaming video. 3 Optionally. For more information. Preshared key again Re-enter the preshared key entered in Preshared key field if PSK is selected as the authentication method. This setting must be the same on the tunnel specifications of both connecting gateways. compressing encrypted data such as HTTPS. 141 . see Advanced VPN Configuration on page 171. The same rule applies when transferring data that is already compressed. click Advanced. VPN gateways must agree on the use of PFS. but it does increase CPU utilization on both host systems. Note: Advanced settings are usually used for compatibility with other VPN gateway systems. This is useful for compatibility with older VPN gateways. 4 Enter the following information: Setting Description Local certificate This is used in non-standard X509 authentication arrangements. Use compression Select to compresses tunnel communication. Initiate the connection Comment Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Preshared key Enter the preshared key when PSK is selected as the authentication method. For example. For non-encrypted. Enter a descriptive comment for the tunnel. This setting should be the same on both tunnel specifications of two connecting gateways. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel.250. for example: London connection . Perfect Forward Secrecy Select to enable the use of the PFS key establishment protocol. PFS is recommended for maximum security.

new encryption keys are generated. This can be useful when working with NAT-ed endpoints. Phase 1 hash algo Select the hashing algorithm to use for the first phase of VPN tunnel establishment. After the key-life value has expired. a non-initiating VPN gateway should not use a zero value because if an active connection drops. thus reducing the threat of snooping attacks. This setting should be the same on both tunnel specifications of two connecting gateways. the Internet Key Exchange keys are reexchanged. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. See Phase 1 hash algo for more information on the options. 142 IKE lifetime Set how frequently. in minutes. Recommended for faster performance and compatibility. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. Key tries Set the maximum number of times the host will attempt to re-try the connection before failing.Virtual Private Networking Site-to-Site VPNs – IPSec Setting Description Phase 1 cryptographic algo Select the encryption algorithm to use for the first phase of VPN tunnel establishment. AES offers faster and stronger encryption than 3DES. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. Phase 2 cryptographic algo Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. The default value of zero tells the host to endlessly try to re-key a connection. Key life Set the length of time that a set of keys can be used for. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security. Do not rekey Select to disable re-keying. MD5 – A cryptographic hash function using a 128-bit key. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. it will persistently try to re-key a connection that it can't initiate. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. It is recommended for maximum security and performance. AES offers faster and stronger encryption than 3DES. . The default and maximum value of 60 minutes is recommended. Phase 2 hash algo Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. However. This setting should be the same on both tunnel specifications of two connecting gateways. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard.

be able to send traffic in the IPsec tunnel. Advanced Firewall will not.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Local internal IP This optional setting is used when Advanced Firewall itself sends traffic in the IPsec tunnel. itself. 143 . Enter the IP of the network interface to use when Advanced Firewall itself sends traffic in the tunnel. 5 Click Add to create the tunnel. Note: If you do not use this setting.

see Importing a Certificate on page 136. Once the above steps have been completed. This will identify the primary system to the secondary system by using the host and domain name ID value in the primary system’s default local certificate. 3 Install the local certificate as the default local certificate on the local system. see Exporting in the PKCS#12 Format on page 136. 6 Import and install the certificate as the default local certificate on the remote system.0/ 255. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. 5 Export the remote certificate in the PKCS#12 container format. For example. It will be automatically generated as the default external IP address at connection time Local network Specify the local network that the secondary system will be able to access.255. 192.168.Virtual Private Networking IPSec Site to Site and X509 Authentication – Example IPSec Site to Site and X509 Authentication – Example This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Advanced Firewall systems.255. you must do the following: 1 Create a CA on the local system for information on how to do this. Creating the Tunnel on the Primary System To create the tunnel on the primary system: 1 On the primary system.0. Its value will be automatically retrieved by Advanced Firewall during the connection process. for information on how to do this. see Creating a CA on page 131 2 Create certificates for the local and remote systems using Host and Domain Name as the ID type. select Default local Certificate ID. proceed with creating tunnel specifications on the local and remote systems as detailed in the following sections. for information on how to do this. see Creating a Certificate on page 134. Local ID type From the drop-down list. Local ID value Leave empty. Enabled Select to ensure that the tunnel can be activated once configuration is completed. This should be given in the IP address / network mask format and should correspond to an existing local network. for information on how to do this. 4 Export the CA certificate in PEM format. Prerequisite Overview Before you start. see Importing a Certificate on page 136. for information on how to do this. Local IP Leave empty. 144 . see Exporting Certificates on page 135. for information on how to do this.10.

If the secondary system has a dynamic IP address. For example.255. 145 . Preshared Key Leave empty. Remote network Specify the network on the secondary system that the primary system will be able to access. Remote ID value Enter the ID value (the hostname) of the secondary system’s default local certificate. Preshared Key again Leave empty. however. Click Add to create the tunnel specification and list it in the Current tunnels area: The advanced settings are left to their default values in this example. Authenticate by From the drop-down list. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. For example. For example.255.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Remote IP or hostname If the secondary system has a static IP address or hostname. 192. select Certificate provided by peer. Local network Specify the local network that the primary system will be able to access. leave this field blank. Tunnel to Branch Office. Comment Enter a descriptive comment. select Default local Certificate ID. it will require more processing power.0.0. enter it here.168. Initiate the connection Do not select. 192. Local ID type From the drop-down list.255. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials. Local IP Leave empty. This is useful for low bandwidth connections. select User specified Host & Domain Name.0/ 255. The next step is to create a matching tunnel specification on the remote system. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system.255.168. Use compression Select to reduce bandwidth consumption. Creating the Tunnel on the Secondary System To create the tunnel on the secondary system: 1 On the secondary system. Enabled Select to ensure that the tunnel can be activated once configuration is completed. 2 Remote ID type From the drop-down list. This should be given in the IP address/network mask format and should correspond to an existing local network. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary system’s default local certificate.20.0/ 255. This should be given in the IP address/network mask format and should correspond to an existing local network.20. It will be automatically generated as the default external IP address at connection time.

Its value will be automatically retrieved by Advanced Firewall during the connection process.255.0/ 255. Authenticate by From the drop-down list. This should be given in the IP address/network mask format and should correspond to an existing local network.10. Comment 2 146 Enter a descriptive comment. Remote network Enter the network on the primary system that the secondary system will be able to access. Unlike the first tunnel specification.0. Tunnel to Head Office. This matches the primary system’s certificate type of Host and Domain Name.Virtual Private Networking IPSec Site to Site and X509 Authentication – Example Setting Description Local ID value Leave empty. Preshared Key again Leave empty. this cannot be left blank. . The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact. 192. for example.168. select Certificate provided by peer. Use compression Select if you selected it on the primary system. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials.255. as listed in Prerequisite Overview on page 144. Click Add. Initiate the connection Select as the secondary system is responsible for its connection to the primary Advanced Firewall system. All advanced settings can be safely left at their defaults. Remote IP or hostname Enter the external IP address of the primary system. Preshared Key Leave empty. Remote ID value Enter the ID value (the hostname) of the primary system’s default local certificate. For example. Remote ID type From the drop-down list. select User specified Host & Domain Name.

If the status is Running. If the status is Running. the tunnel can be activated. Creating the Tunnel Specification on Primary System To create the primary tunnel specification: 1 On the primary system. Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel. To ensure the VPN subsystem is active on both systems: 1 On the primary system. For example.10. Activating the IPSec tunnel Next. To do this.0/ 255.255. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. 3 On the secondary system. 192. IPSec Site to Site and PSK Authentication Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. For further information. To initiate the VPN connection: 1 On the secondary system. first ensure that the VPN subsystem is active on both the primary and secondary systems. navigate to the VPN > VPN > Control page. Configuring Inter-Zone Security on page 59. Enabled Select to ensure that the tunnel can be activated once configuration is completed. If the status is Stopped. Local network Specify the local network that the secondary system will be able to access. click Restart. see Chapter 6.Smoothwall Advanced Firewall Administrator’s Guide Checking the System is Active Once the tunnel specifications have been created. you do not need to do anything. 2 In the Manual control region. If the status is Stopped.168. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. 147 . navigate to the VPN > VPN > Control page. you do not need to do anything. the secondary system should initiate the VPN connection.255. navigate to the VPN > VPN > Control page. identify the current status of the VPN system. 2 In the IPSec subnets region. select Local IP. ensure that appropriate zone bridging rules are configured. identify the current status of the VPN system. click Restart. This should be given in the IP address/network mask format and should correspond to an existing local network. 4 In the Manual control region. Local ID type From the drop-down list.0.

Virtual Private Networking IPSec Site to Site and PSK Authentication Setting Description Local ID value Leave empty. . Authenticate by From the drop-down list. Comment Enter a description. Remote ID value Enter the local IP address of the secondary system. Local network Specify the local network that the primary system will be able to access. for example: Tunnel to Birmingham Branch Click Add. enter it here. Enabled Select to ensure that the tunnel can be activated once configuration is completed. It will be automatically generated as Local IP was chosen as the local ID type.0/ 255.255.0. Preshared Key again Re-enter the passphrase to confirm it. This will allow the primary system to use the secondary’s IP address (if one was specified). It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. leave this field blank. This should be given in the IP address/network mask format and should correspond to an existing local network.0. 192. Advanced Firewall lists it in the Current tunnels area. select Remote IP (or ANY if blank Remote IP). If the secondary system has a dynamic IP address. It is useful for low bandwidth connections but requires more processing power. This should be given in the IP address / network mask format and should correspond to an existing local network. For example. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Use compression Select this option if you wish to reduce bandwidth consumption.20. The next step is to create a matching tunnel specification on the remote system. Preshared Key Enter a passphrase. Remote network Specify the network on the secondary system that the primary system will be able to access. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel.0/255.168. For example. Initiate the connection Do not select this option.10.255. Creating the Tunnel Specification on the Secondary System To create the secondary tunnel specification: 1 148 On the secondary system. All advanced settings can be safely left at their defaults. select Preshared Key. Remote IP or hostname If the secondary system has a static IP address or hostname.255.168. 192. 2 Remote ID type From the drop-down list.255.

If the status is Running. Tunnel to Head Office. navigate to the VPN > VPN > Control page. Preshared Key again Re-enter the passphrase to confirm it. select Preshared Key.168. This should be given in the IP address/network mask format and should correspond to an existing local network. Preshared Key Enter the same passphrase as was entered in the Preshared Key field on the primary system. this cannot be left blank. navigate to the VPN > VPN > Control page. Local ID value Leave empty. you do not need to do anything. 2 In the Manual control region. you do not need to do anything. If the status is Running. If the status is Stopped. select Remote IP (or ANY if blank Remote IP). All advanced settings can be safely left at their defaults. navigate to the VPN > VPN > Control page. Remote ID type From the drop-down list. It will be automatically generated as Local IP was chosen as the local ID type. To activate the tunnel: 1 On the secondary system.0. 192. 149 . select Local IP. To do this. for example. This will allow the primary system to use the secondary's IP address (if one was specified). Remote ID value Enter the local IP address of the secondary system. the tunnel can be activated. If the status is Stopped. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. Activating the PSK tunnel Next. Unlike the first tunnel specification. Authenticate by From the drop-down list. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Remote IP or hostname Enter the external IP address of the primary system. For example. Initiate the connection Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system.0/255. first ensure that the VPN subsystem is active on both the primary and secondary systems.255. the secondary system should initiate the VPN connection.255. To check the system is active: 1 On the primary system. Comment 2 Enter a descriptive comment.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Local ID type From the drop-down list. click Restart. 3 On the secondary system. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Use compression Select this option if compression was enabled on the primary system. identify the current status of the VPN system. Remote network Specify the network on the primary system that the secondary system will be able to access. Click Add. click Restart. 4 In the Manual control region.10. identify the current status of the VPN system. Checking the System is Active Once the tunnel specifications have been created.

including other VPN-connected ones. Each road warrior must use a unique. When a road warrior connects to Advanced Firewall. • IPSec – IPSec road warrior connections use the same technology that Advanced Firewall uses to create site-to-site VPNs. It is recommended for road warriors using Apple Mac. You can route to other subnets. ensure that appropriate zone bridging rules are configured.Virtual Private Networking About Road Warrior VPNs 2 In the IPSec subnets region. all L2TP road warriors must connect to the same internal network. unused IP address. For further information. 3 Decide which internal networks and what IP ranges to allocate to road warriors. a road warrior connection is configured as follows: 1 Create a certificate for each road warrior user. individually specified for each IPSec road warrior. just as if it was plugged into the network directly. About Road Warrior VPNs This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network. so create as many tunnels as there are road warriors. 4 Create the tunnel specification on the Advanced Firewall system. to all intents and purposes. For further information. IPSec for all others. Configuring Inter-Zone Security on page 59. the client IP settings is used to assign the road warrior's IP address on the local network. 5 Install the certificate and any necessary client software on the road warrior system and configure. it is given an IP address on a specified internal network. or statically assigned machines such as servers. Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 178. Configuring Inter-Zone Security on page 59. you would choose a group of IP addresses outside of either the DHCP range. see Chapter 6. When connected. Typically. Configuration Overview Typically. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. Advanced Firewall supports two different VPN protocols for creating road warrior connections: • L2TP – L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel. Other machines on the same internal network can see the client. 6 Connect. IPSec road warriors can be configured to connect to any internal network. usually with the user's email address as its ID type. Each user requires their own tunnel. When configuring a tunnel. be on the configured internal network. 2 Decide which VPN protocol best suits your road warrior's needs – L2TP for Win 2000/XP. the road warrior client machine will. 7 Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. 150 . Linux or other nonMicrosoft operating systems. However. see Chapter 6. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections. There are fewer configuration parameters to consider when creating a tunnel specification.

168.168.2. 2 Configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. set the local network to 192. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. enter the value 192. check the following list to assess whether it is the right choice: • Each connection can be routed to a different internal network.168. For example. Creating an IPSec Road Warrior To create an IPSec road warrior connection: 1 Navigate to the VPN > VPN > IPSec roadwarriors page.168.0 to allow the road warrior to access all addresses in the range 192.10.2.0/ 255.2.255. 192.2.0. Note: It is possible to restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting. Client IP Enter a client IP address for this connection.2.255. 151 . For example.168. This includes overriding the default local certificate.0/255.10.255.0 to 192. Enabled Select to activate the tunnel once it has been added. The IP address must be a valid and available address on the network specified in the Local network field.255.255.2. Local network Enter the IP address and network mask combination of the local network.0/24 or 192. • Client software will need to be installed on road warrior systems. if you wish to restrict the connected road warrior to a specific IP address such as 192.Smoothwall Advanced Firewall Administrator’s Guide IPSec Road Warriors Before creating a road warrior connection using IPSec.168.10/3 Accordingly.168. • Each connection can use different types of cryptographic and authentication settings.

PFS is recommended for maximum security. ensuring that Secrecy previous VPN communications cannot be decoded should a key currently in use be compromised. AH is not recommended. For further details. This will require more processing power. authenticity and integrity of messages. enter a local ID value. select one of the following options: To use the road warrior's certificate.240. Because AH provides only authentication and not encryption. This is useful for compatibility with older VPN gateways. Remote ID type From the drop-down list. Remote ID value Enter the value of the ID used in the certificate that the road warrior is expected to present. Recommended for optimal performance. 152 . see Advanced VPN Configuration on page 171.Virtual Private Networking IPSec Road Warriors Setting Description Local ID type From the drop-down list. see below. Preshared Key. Click Advanced and enter the following information: Setting Description Local certificate This is used in less standard X509 authentication arrangements. Interface Used to specify whether the road warrior will connect via an external IP or an internal interface. Authenticating by a named certificate is recommended for ease of management. select to use the global preshared key as defined on the VPN > VPN > Global. VPN gateways must agree on the use of PFS. 3 Use compression Select to reduce bandwidth consumption (useful for low bandwidth connections). select it. For more information. choose Certificate presented by peer. Authentication type Provides a choice of ESP or AH security during the authentication process. This is recommended as it allows the road warrior to present any form of valid ID. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality. Local ID value If you chose a User Specified ID type. Authenticate by From the drop-down list. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. select Remote IP (or ANY if blank Remote IP). This setting should be the same on both tunnel specifications of two connecting gateways. for example: IPSec connection to Joe Blogg's on . select the local ID type. Comment Enter a descriptive comment. To use a certificate created by a different CA. Perfect Forward This enables the use of the PFS key establishment protocol. Default local Certificate Subject is recommended for road warrior connections.

Phase 2 cryptographic algo This selects the encryption algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. Key life This sets the duration that a set of keys can be used for.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Phase 1 cryptographic algo This selects the encryption algorithm used for the first phase of VPN tunnel establishment. thus reducing the threat of snooping attacks. This setting should be the same on both tunnel specifications of two connecting gateways. it will persistently try to re-key a connection that it can't initiate. new encryption keys are generated. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. Recommended for maximum security. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those for a site-to-site IPSec connection. Phase 2 hash algo This selects the hashing algorithm used for the second phase of VPN tunnel establishment. 4 IKE lifetime Sets how frequently the Internet Key Exchange keys are re-exchanged. Do not Rekey Turns off re-keying which can be useful for example when working with NAT-ed end-points. Phase 1 hash algo This selects the hashing algorithm used for the first phase of VPN tunnel establishment. Recommended for faster performance and compatibility. see Section 5. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. After the key-life value has expired. The default and maximum value of 60 minutes is recommended. Key tries This sets the maximum number of times the host will attempt to re-try the connection before failing. See Phase 1 cryptographic algo for more information on the options. a non-initiating VPN gateway should not use a zero value because if an active connection drops. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.1 Introduction to Site to Site VPNs. Click Add at the bottom of the page to add the tunnel to the list of current tunnels. AES offers faster and stronger encryption than 3DES. AES offers faster and stronger encryption than 3DES. The default value of zero tells the host to endlessly try to re-key a connection. 153 . This setting should be the same on both tunnel specifications of two connecting gateways. However. MD5 – A cryptographic hash function using a 128-bit key. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. For details on the operation of each advanced control. It is recommended for maximum security and performance.

These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. For further information. Such connections have the following features: • All connections share the same. If applicable. • Very easy to configure. . L2TP settings From the drop-down list. globally specified subnet. enter primary and secondary WINS settings. Configuring L2TP and SSL VPN Global Settings To configure L2TP and SSL VPN global settings: 1 On the VPN > VPN > Global page.Virtual Private Networking Supported IPSec Clients Supported IPSec Clients Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems: • SafeNet SoftRemote LT • SafeNet SoftRemote 10 • SafeNet SoftRemote 9 Creating L2TP Road Warrior Connections This section covers the steps required to create an external road warrior connection using L2TP. Configure the following settings: Setting Description L2TP and SSL VPN client configuration settings Enter primary and secondary DNS settings. 2 154 Click Save.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. Creating a Certificate The first task when creating an L2TP road warrior connection is to create a certificate. A road warrior certificate is typically created using the user's email address as the certificate ID. • Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP. select the internal network that L2TP road warriors will be connected to. see Creating a Certificate on page 134.

For example: Joe Blogg's L2TP. Local certificate From the drop-down list. Authenticating by a named certificate is recommended for ease of management. Username Enter a username for this connection. Click Add to create the L2TP tunnel specification and add it to the Current tunnels region. Advanced Click Advanced to access more options. Interface Select PRIMARY. choose this option. 3 L2TP client OS From the drop-down list. Again Re-enter the password to confirm it. select one of the following options: Certificate presented by peer – If the certificate was created by a different CA. Common Name's organization certificate – The peer has a copy of the public part of the hosts certificate. Client IP Enter a client IP address for this connection in the Client IP field. Here both ends are Certificate Authorities. select the L2TP client’s operating system.Smoothwall Advanced Firewall Administrator’s Guide Creating an L2TP Tunnel To create an external L2TP road warrior connection: 1 Navigate to the VPN > VPN > L2TP roadwarriors page. and each has installed the peer’s public certificate. 155 . Enabled Select to activate the tunnel once it has been added. select the default local certificate to provide the Advanced Firewall’s default local certificate as proof of authenticity to the connecting road warrior. 2 Click Advanced to display all settings and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Comment Enter a descriptive comment. Password Enter a password for the tunnel. The IP address must be a valid and available IP on the globally specified internal network. Authenticate by From the drop down list.

3 Click Add. 4 On the iPhone-compatible device. Server Enter Advanced Firewall’s external IP address. To configure an iPhone-compatible tunnel: 1 On the VPN > VPN > Global page. including IPSec and L2TP road warriors. 5 Select Add VPN Configuration and configure the following settings: 156 Setting Description Description Enter a description for the tunnel. . There is a workaround for subnet tunnels to unknown. L2TP and SSL VPN client configuration Enter the primary and secondary DNS settings. Again – Re-enter the password to confirm it. In practice. For example: CEO's iPhone.Virtual Private Networking Creating L2TP Road Warrior Connections Configuring an iPhone-compatible Tunnel Advanced Firewall enables you to configure iPhone-compatible tunnels. Note: Before you start. Comment Optionally. Enabled Select to activate the tunnel once it has been added. enter a description of the tunnel. please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. The IP address must be a valid and available IP on the globally specified internal network. Again Re-enter the password to confirm it. Client IP Enter a client IP address for this connection. Password Enter a password for the tunnel. L2TP client OS From the drop-down list. as they use certificates for authentication • not have any IPSec subnet tunnels to unknown (blank) remote IPs. Authenticate by Preshared key (iPhone compatible) – Select this option to use the preshared key entered in step 1. this means that if you want to create a tunnel between an iPhone-compatible device and Advanced Firewall. Username Enter a username for this connection. settings 2 Click Save. Advanced Firewall creates the tunnel and lists it in the Current tunnels area. you must: • not have any L2TP or IPSec road warriors. configure the following settings: Setting Description IPSec Road Warrior (and L2TP) Preshared Key Preshared key – Enter a strong password which contains more than 6 characters. select Apple (iPhone compatible). navigate to Settings > General > Network > VPN. remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone-compatible device. in the case of PSK. and. must use the same authentication method. the same secret. Configuring an iPhonecompatible tunnel entails: • setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page • creating the tunnel on the VPN > VPN > L2TP roadwarriors page.

Specifically. and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. as do the vast majority of other modern VPN gateway devices. The tunnel is now ready for use. Information about this patch can be found at http:// support. IPSec normally uses Protocol 50 which embeds IP addresses within the data packets – standard NATing will not change these addresses. VPNing Using L2TP Clients This section explains the configuration process for supported Microsoft operating systems. a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle. However.microsoft. one particular windows update is required for L2TP connections to function: • Q818043 – L2TP/IPSec NAT-T update.microsoft. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic – UDP is not affected by the NAT process. L2TP Client Prerequisites To connect to an L2TP tunnel.com/ 157 . see http://windowsupdate. Select Save to save the tunnel configuration. Note: NAT-T is a VPN gateway feature.com/?kbid=818043 The above update will already be installed if you are running Windows XP SP2 or above. the VPN cannot work. Password Enter the password as entered in step 2. In this situation. not a NATing feature. RSA SecurID Set to OFF. or Windows 2000 SP4 or above. This does of course require that the other end of the VPN tunnel supports NAT-T. Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above. Connecting Using Windows XP/2000 Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Please use the Microsoft Windows Update facility to ensure compliance. Send All Traffic Set to ON on for routing to other VPNs.Smoothwall Advanced Firewall Administrator’s Guide 6 Setting Description Account Enter the username as entered in step 2. Both SafeNet SoftRemote and SSH Sentinel support this mode. Proxy Set to OFF. Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. Using NAT-Traversal Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems. Secret Enter the PSK as configured in step 1.

When started. Installing an L2TP Client The first step in the connection process is to run the L2TP Client Wizard. You can download it from here. 2 View the license and click Next to agree to it. For details. If it is not. Note: There is an alternative configuration method that uses a command line tool. see Advanced VPN Configuration on page 171. It is a freely distributable application that automates much of the configuration process. it will then guide the user through the steps of configuring the connection to the Advanced Firewall system. To install the L2TP client: 1 Run the L2TP Client Wizard on the road warrior system. The following screen is displayed: 158 . thus enabling an L2TP connection to be configured as part of a logon script. the L2TP Client Wizard first ensures that the Q818043 hotfix is installed. the program issues a warning.Virtual Private Networking VPNing Using L2TP Clients • One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store. Assuming the hotfix is installed.

159 . Click Next. The following screen is displayed: 5 Ensure that the Launch New Connection Wizard option is selected and click Install. as exported during the certificate creation process.Smoothwall Advanced Firewall Administrator’s Guide 3 Click Browse and open the CA certificate file as exported during the certificate creation process. Enter the password and click Next.p12. This must be a PKCS#12 file. typically saved as *. The following dialog opens: 4 Click Browse to locate and select the road warrior's host certificate file.

160 . Click Finish.Virtual Private Networking VPNing Using L2TP Clients 6 The wizard install the certificates. The following screen is displayed: 8 Select Connect to the network at my workplace and click Next. The Microsoft New Connection Wizard is launched. 7 Click Next.

161 . The following screen is displayed: 11 Enter Advanced Firewall’s host name or IP address and click Next.Smoothwall Advanced Firewall Administrator’s Guide 9 Select Virtual Private Network connection and click Next. The following screen is displayed: 10 Enter a name for the connection and click Next.

any user account able to authenticate to the directory service configured. see Setting the Default Local Certificate on page 137 for more information. Prerequisites • An installed default local certificate. Any alerts concerning this kind of traffic can be safely ignored. Configuring VPN with SSL The following section explains how to configure Advanced Firewall for VPNing with SSL. 162 . To configure SSL VPN settings: 1 Browse to the VPN > VPN > Global page. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. VPNing with SSL Advanced Firewall supports OpenVPN SSL connections. Ensure that the tunnel is enabled. This protocol is preferred for compatibility with filters between the client and the server. which can be easily configured and distributed. All your users need to know is their Advanced Firewall user account name and password. the standard HTTPS port. The Connect dialog box is displayed 13 Enter the username and password of the road warrior and click Connect. UDP (1194) – Select to run the SSL VPN connection over UDP on port 1194. Transport protocol Select the network protocol. configure the following settings: Setting Description Enable SSL VPN Select to enable SSL VPN on Advanced Firewall.Virtual Private Networking VPNing with SSL 12 Click Finish. In the SSL VPN settings area. Using light-weight clients. plus the list of local users gain easy and secure VPN access to your network. and unblocked communication permitted. Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. This protocol is preferred for performance. The following options are available: TCP (HTTPS) – Select to run the SSL VPN connection over TCP on port 443.

For systems which have had VPN configured. Force clients to use Select to configure Advanced Firewall to force the client to send all its SSL VPN as gateway traffic through the SSL VPN connection. Managing SSL Road Warriors Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. this setting is off by default. is taken by any existing network. Enter one IP address or hostname per line. Note: Because connected clients are placed on a virtual network.Smoothwall Advanced Firewall Administrator’s Guide Setting Description SSL VPN network address Accept the default network address or enter a new one. Note: For systems which have never had VPN configured.110. This is good for load balancing over multiple links. If set. if dynamic DNS is used.0/24. Click Save to save the settings. Choose random gateway 2 Select this setting to enable clients to connect on a random address when multiple gateways are defined. add the user to the built-in network configuration operator group. which is generally better as it enforces the policy on the server end. If blank. this will not work. the gate way(s) will be used by the SSL VPN clients as the connecting gateway host. the primary external IP address of the gateway will be used. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access. SSL VPN users. all machines they access must also have a route to this network. configure this setting to use range not taken on the network. See the sections that follow for more information. Advanced Firewall can force all connected clients to route through it. you have the option to set one or more different gateways. The IP range must not be one not used for any physical network. get an IP address on a virtual interface. Therefore. Enable TLS authentication Select this setting to apply Transport Layer Security (TLS) authentication. this setting is on by default. However. 163 . SSL VPN client gateway(s) Usually. SSL VPN netmask Accept the default network netmask or enter a new one. Managing Group Access to SSL VPNs By default all groups are allowed to use SSL VPN. Note: On Windows Vista. a client is configured to use Advanced Firewall’s primary external IP address as its gateway. click Restart to apply the settings. and. to ensure that a user gets full VPN connectivity. TLS authentication can mitigate in a denial of service condition. 10. at the top of the page. when they connect. If the default subnet. within Advanced Firewall.

displays the size of the script and a message confirming a successful upload. 2 In the Select group area. 164 . select the group to which the script(s) will be specifically deployed. connect and disconnect scripts which can carry out custom commands before or after a VPN comes up or goes down. Managing Custom Client Scripts for SSL VPNs Advanced Firewall enables you to upload or remove preconnect. 5 Repeat the steps above to upload connect and disconnect scripts as required. Click Select. select the group you want to disable from using SSL VPN and then click Select. Advanced Firewall disables access. Removing Scripts To remove scripts: 1 Browse to the VPN > VPN > SSL roadwarriors page. Click Upload preconnect script. 3 De-select the Enable option and click Save. You can also deploy scripts based on groups. select the group from which the script(s) will be specifically removed. 2 From the Select group drop-down list. Advanced Firewall uploads the script. Uploading Scripts To upload scripts: 1 Browse to the VPN > VPN > SSL roadwarriors page. 3 To upload a preconnect script.Virtual Private Networking Managing SSL Road Warriors To disable a group from using SSL VPN: 1 Browse to the VPN > VPN > SSL roadwarriors page. or. accept the default settings to remove any uploaded scripts from all groups. 4 Repeat the steps above for any other groups you want to disable from using SSL VPN. click Browse. or. Advanced Firewall displays SSL VPN group settings. 2 In the Select group area. accept the default settings to apply any uploaded scripts to all groups. 4 When prompted. in the Custom client scripts area beside the Upload Preconnect Script text box. from the Select group drop-down list. browse to and select the script. from the Select group drop-down list. Click Select.

To configure SSL VPN on an internal network: 1 On the VPN > VPN > Global page. 5 Once saved. See Configuring VPN with SSL on page 162 for more information on external use. custom client scripts. Making the SSL VPN Client Archive Available on page 85. save the file in a suitable location. For information on how. For information on how. browse to the VPN > VPN > SSL roadwarriors page and configure the scripts. see Configuring VPN with SSL on page 162. click Remove preconnect script. 5 Repeat the steps above to remove connect and disconnect scripts as required. Generating SSL VPN Archives You can generate an archive of the SSL VPN settings which can be distributed to users. You can use the Advanced Firewall portal to distribute the archive. When Advanced Firewall prompts you. For more information. in the Additional SSL VPN client internal interfaces area. save the file in a suitable location. distribute the archive to users who require secure access to the internal wireless interface. configure the SSL VPN settings. Archives can contain SSL VPN settings and. distribute the archive to those users who will be using SSL VPNing.Smoothwall Advanced Firewall Administrator’s Guide 3 To remove a preconnect script. Configuring SSL VPN on Internal Networks Advanced Firewall’s SSL VPN functionality can be deployed to secure internal wireless interfaces. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. Advanced Firewall generates an archive containing the client software and the VPN settings required. See step 4 for what to do next. Making the SSL VPN Client Archive Available on page 85. 4 Once saved. optionally. 2 Click Advanced and. 3 Click Generate client archive. When Advanced Firewall prompts you. 3 If you want to include scripts in the archive. Note: The same archive can be used for both internal and external use. Advanced Firewall generates an archive containing the client software and the VPN settings required. in the Custom client scripts area beside the Upload Preconnect Script text box. see Chapter 8. see Configuring VPN with SSL on page 162. configure the SSL VPN settings. 165 . Note: An archive can be used for both internal and external use. see Chapter 8. See Configuring SSL VPN on Internal Networks on page 165 for more information on internal use. see Managing Custom Client Scripts for SSL VPNs on page 164. select the interface on which to deploy the SSL VPN. For more information. 4 Advanced Firewall removes the script and displays a message confirming a successful removal. See Configuring and Connecting Clients on page 166 for information on how to install the SSL VPN software on clients. 4 Click Generate client archive. To generate an SSL client archive: 1 On the VPN > VPN > Global page. you can generate the archive now. 2 If you do not want to include custom scripts in the archive. Click Generate client archive. You can use the Advanced Firewall portal to distribute the archive.

to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client. The following screen opens: 3 Read the license and click I agree to continue. The following screen opens: 2 Click Next to continue.exe to start the installation wizard.Virtual Private Networking Managing SSL Road Warriors Configuring and Connecting Clients The following sections explain how to install the SSL VPN client software. see Configuring VPN with SSL on page 162. Installing the Software To install the SSL VPN client software: 1 Extract the client archive. 166 . and connect using an SSL VPN connection.

Smoothwall Advanced Firewall Administrator’s Guide The following screen opens: 4 Accept the default components and click Next to continue. 167 . Click Install to continue. The following screen opens: 5 Accept the default destination folder or click Browse to select a different destination. The following screen opens: 6 Click Continue Anyway.

Virtual Private Networking Managing SSL Road Warriors The following screen opens: 7 Click Next to continue. The following screen opens: 8 Click Finish to complete the installation. . Password Enter the password belonging to the account. Opening an SSL VPN Connection To open an SSL VPN connection: 1 In the system tray. right click on OpenVPN GUI and select Connect. The following dialog box is displayed: 2 Configure the following settings: 168 Setting Description Username Enter the name of the user account to be used.

Smoothwall Advanced Firewall
Administrator’s Guide
3

Click OK. The SSL VPN connection is opened.

Closing an SSL VPN Connection
To close an SSL VPN connection:
1

In the system tray, right click on OpenVPN GUI and select Disconnect.

VPN Zone Bridging
In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel,
ensure that appropriate zone bridging rules are configured.
L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road
warriors also require zone bridging rules, and share their zone bridging configuration with IPSec
subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 59.

Secure Internal Networking
This part of the manual explains how Advanced Firewall can be used to provide secure internal
networking using VPN technology.
An internal VPN capability can be useful in many situations, a few examples of typical scenarios are
given below:

Secure wireless access – Commonly used wireless access protocols offer relatively weak levels of
security, thus allowing potential intruders to directly access and intercept confidential data on an
organization’s internal network. Advanced Firewall can ensure secure wireless access by providing
an additional interface as an internal VPN gateway. By attaching a wireless access point to this
interface, wireless clients can connect and create a secure tunnel to the desired internal network.
Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access
to any network resource.

Hidden network access – It is possible to create a hidden network that can only be accessed via a
secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed
by an exclusively authenticated member of staff. To do this, create a network that is not bridged to
any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the
hidden network.
There is no complicated configuration process for creating such internal VPNs, the facility is provided
by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.

Creating an Internal L2TP VPN
To create an internal L2TP VPN connection:
1

Navigate to the VPN > VPN > Global page.

2

In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an
internal network interface.

3

Optionally, click Advanced and configure the following settings:
Setting

Description

Enable NATTraversal

NAT-T is enabled by default and allows IPSec clients to connect from behind
NATing devices.
In some advanced and unusual situations, however, this feature may prevent
connections, therefore, NAT-T can be disabled.

169

Virtual Private Networking
Secure Internal Networking

Setting

Description

Enable Dead
Peer Detection

Used to activate a keep-alive mechanism on tunnels that support it.
This setting, commonly abbreviated to DPD, allows the VPN system to almost
instantly detect the failure of a tunnel and have it marked as Closed in the control
page.
If this feature is not used, it can take any time up to the re-keying interval
(typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec
implementations support this feature, it is not enabled by default.
In setups consisting exclusively of Advanced Firewall VPN gateways, it is
recommended that this feature is enabled.

Copy TOS (Type
Of Service) bits
in and out of
tunnels

When selected, TOS bits are copied into the tunnel from the outside as VPN
traffic is received, and conversely in the other direction. This makes it possible
to treat the TOS bits of traffic inside the network (such as IP phones) in traffic
shaping rules within Traffic and traffic shape them.
If this option is not selected, the TOS bits are hidden inside the encrypted tunnel
and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used to
spy on traffic

4

Click Save.

Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP
client internal interface, as shown in the L2TP settings region.
If a zone bridge is created between the additional nominated interface and the L2TP client interface,
it allows the VPN to be circumvented and thus limits its usefulness.
5

Create a certificate for the L2TP client. See Creating a Certificate on page 134.

6

Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
Setting

Description

Name

Enter a descriptive name for the tunnel.

Enabled

Select to activate the tunnel once it has been added.

Client IP

Enter a client IP address for this connection. The IP address must be a valid and
available IP on the globally specified internal network.

Username

Enter a username for this connection.

Password

Enter a password for the connection.

Again

Re-enter the password to confirm it.

Authenticate
by

To dedicate this connection to a specific user, choose the user’s certificate from
the drop-down list.
To allow any valid certificate holder to use this tunnel, choose Certificate
provided by peer option.
If your organization anticipates supporting many road warrior connections,
authenticating by a specific certificate is recommended for ease of
management.

L2TP client OS From the drop-down list, select the L2TP client's OS.
Comment
7
170

Enter a descriptive comment.

Click Advanced and, from the Local certificate drop-down list, select Default.

Smoothwall Advanced Firewall
Administrator’s Guide
8

Click Add. Advanced Firewall lists the tunnel in the Current tunnels area.
To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 158.

Advanced VPN Configuration
The following sections explain how and when you might want to use non-standard configurations of
CAs, certificates and tunnel definitions to:

Allow sites to autonomously manage their own road warriors

Create VPN links between co-operating organizations

Create VPN hubs that link networks of networks.

Multiple Local Certificates
In some instances, it may be desirable to install multiple local certificates that are used to identify the
same host. There are a number of situations, where this might be desirable:

Autonomous management of road warrior tunnels from multiple sites.

Autonomous management of site-to-site tunnels from multiple sites.
Multiple local certificates are typically used to de-centralize VPN management in larger networks. For
instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of
an multinational company. Each head office must be responsible for its own VPN links that connect
its regional branches to its head office, as otherwise there would be a reliance on a single set of
administrators in one country / time zone preparing certificates for the entire organization.
Using the above example, each head office VPN gateway could utilize two local IDs (certificates):

Country head office ID – This ID would be used by a head office to identify itself to head offices from
other countries, to form VPN tunnels that make up the international WAN.

Head office ID – This ID would be used by a head office to identify itself to other domestic offices, so
that it can manage VPN tunnel connectivity within its own region.
The same concept can be applied to any situation where autonomous VPN management is required.
To continue the above example, many of the offices within one particular country require a number
of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway
could utilize two local IDs (certificates):

Regional branch office ID – This ID would be used by a branch office to identify itself to the head office
and other branch offices that make up the country-wide WAN.

Branch office ID – This ID would be used by a branch office to identify itself to its local road warriors,
so that it can manage road warrior connectivity to its own branch.

Creating Multiple Local Certificates
This example will demonstrate how to delegate VPN management from an unconfigured master
Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary
Advanced Firewall system will be responsible for managing site-to-site and road warrior connections
within its own geography.
Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced
Firewall.
Since this example covers configuration from scratch, you must follow the instructions from the step
most appropriate to your current level of VPN connectivity.
1

On the master system, navigate to the VPN > VPN > Certificate authorities page.

2

Create a local Certificate Authority, see Creating a CA on page 131.

171

Virtual Private Networking
Advanced VPN Configuration
3

Create signed certificates for the master and secondary Advanced Firewall systems, see Managing
Certificates on page 134.

4

Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Setting the Default Local Certificate on page 137.

5

Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs –
IPSec on page 138.

6

Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
Exporting Certificates on page 135.

7

Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate
on page 132.
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall
system, firstly to create the primary site-to-site link.
To create the primary site-to-site link:

1

On the secondary system, navigate to the VPN > VPN > Certificate authorities page.

2

Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate
on page 133.

3

Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate
on page 136.

4

Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on
page 137.

5

Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to
Default see Site-to-Site VPNs – IPSec on page 138.

6

Test the VPN connection.
The next step is to create an additional CA on the secondary Advanced Firewall system. This
additional CA will be used to create another local certificate for the secondary Advanced Firewall
system, as well as certificates for any further site-to-site or road warrior connections that it will be
responsible for managing.
To create an additional CA on the secondary Advanced Firewall system:

1

On the secondary system, navigate to the VPN > VPN > Certificate authorities page.

2

Create a new local Certificate Authority, see Creating a CA on page 131.

3

Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the
secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 134.

4

Create a new signed certificate for any host whose VPN connectivity will be managed by the
secondary Advanced Firewall system.

5

Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate
(created by the previous step) as the Local certificate.

6

Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will
be managed by the secondary Advanced Firewall system.

7

Create the remote tunnel specification (this could be a road warrior client or another site-to-site
gateway).

Public Key Authentication
It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other.
During authentication, each host uses the other host's public key to decrypt the (private key
encrypted) certificate it will be passed as identity credentials.
This configuration does not require the CA that created either host's certificate to be known to either
VPN gateway. This can be useful in many ways:

172

Simplified internal management, using certificates created by an external Certificate Authority.

Smoothwall Advanced Firewall
Administrator’s Guide

Tunnelling between two separate organizations using certificates created by different (possibly
external) CAs.

Alternative scheme to allow both ends of the tunnel to create their own CA and default local
certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior
connections. This achieves the same result as the previous technique described in the Multiple local
certificates section.

Note: The use of public key authentication should not be considered as a direct replacement for a stringent
X509 based authentication setup. While public key authentication does use some of the same
technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As
such, appropriate precautions should be taken when considering implementing this alternative
authentication method.

Configuring Both Ends of a Tunnel as CAs
This configuration example uses public key authentication to connect two Advanced Firewall
systems, each with their own CA so that they can manage their own site-to-site and road warrior
connections.
The following assumptions have been made:

Two Advanced Firewall systems.

Each Advanced Firewall has its own CA.

Each CA has created a signed certificate for its own local Advanced Firewall system.
To create the tunnel specifications:

1

On both systems, navigate to the VPN > VPN > Certificates page.

2

Export the local certificates from both Advanced Firewall systems using the PEM format, see
Exporting Certificates on page 135.

3

Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate
on page 136.

4

Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the
second Advanced Firewall system's host certificate in the Authenticate by drop-down list.

5

Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select
the first Advanced Firewall system's host certificate in the Authenticate by drop-down list.
The tunnel can now be established and authenticated between the two Advanced Firewall systems.
In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and
road warrior connections by using its own CA to create additional certificates.

VPNs between Business Partners
To create a VPN between two separate organizations (such as two firms working together as
partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced
Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel
specification.
This example uses certificates created by an external, commercial CA so that each organization can
authenticate certificates presented by the other using a CA that is independent of both organizations.
This configuration example assumes the following:

Local Advanced Firewall system.

Host certificates created by the same commercial CA.

Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.

Host certificate, Certificate B created by the commercial CA for the other organization’s VN gateway.
173

Virtual Private Networking
Advanced VPN Configuration
Firstly, import the certificate created for the local Advanced Firewall system (Certificate A).
To import the certificate:
1

On the local system, navigate to the VPN > VPN > Certificates page.

2

Import Certificate A, see Importing a Certificate on page 136.
Next, import the commercial CA's certificate:

1

On the system, navigate to the VPN > VPN > Certificates page.

2

Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's
Certificate on page 133.
Next, configure the local tunnel specification in co-operation with the other organization. This is most
likely to be an IPSec site-to-site connection, though it is possible that you could connect to their
network as a road warrior. In either case, full consultation between both organizations is required to
decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:

1

Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN >
IPSec subnets page.

2

In the local tunnel specification, choose Default local cert subject or Default local cert subject
alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified
values if the other VPN gateway is not directly compatible with Advanced Firewall's communication
of certificate subjects.

3

Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any
default local certificate that might be configured.

4

Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that
Advanced Firewall will authenticate Certificate B when is presented by the other organization’s VPN
gateway.

5

Choose the remote ID type from the Remote ID type drop-down list that was entered during the
creation of Certificate B using the commercial CA.

6

Confer with the other organization regarding all other configuration settings and ensure that they
authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall
as connection time.

Extended Site to Site Routing
A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple
networks together by creating a centralized VPN hub. The hub is used to route traffic to between
different networks and subnets by manipulation of the local and remote network settings in each
tunnel specification.
This potentially allows every network to be linked to every other network without the need for a fully
routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network
can be awkward to configure and maintain.
This configuration example assumes the following:

Site A – Local network: 192.168.10.0/255.255.255.0 – Tunnel A connects to Site B.

Site B – Local network: 192.168.20.0/255.255.255.0 – Tunnel A connects to Site A, Tunnel
C connects to Site C.

Site C – Local network: 192.168.30.0/255.255.255.0 – Tunnel C connects to Site B.
The advantage of this approach is that only one tunnel is required for each remote network. The
disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires
additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the
network. An improved approach would incorporate backup tunnel definitions that could be used to
create a fail-over VPN hub elsewhere on the network.

174

Smoothwall Advanced Firewall
Administrator’s Guide

Site A Tunnel Definition
A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote
network settings:

Local network – 192.168.10.0/255.255.255.0

Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel A.
Any traffic destined for the Site C network (any address in the range 192.168.30.0 to
192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its
destination – Tunnel C from Site B will ensure this.

Site B Tunnel Definitions
First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and
remote network settings:

Local network – 192.168.0.0/255.255.0.0

Remote network – 192.168.10.0/255.255.255.0
With this configuration, any traffic destined for the Site A network (any address in the range
192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the
definition of the remote end of Tunnel A.
Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and
remote network settings:

Local network – 192.168.0.0/255.255.0.0

Remote network – 192.168.30.0/255.255.255.0
With this configuration, any traffic destined for the Site C network (any address in the range
192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the
definition of the remote end of Tunnel C.

Site C tunnel definition
A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote
network settings:

Local network – 192.168.30.0/255.255.255.0

Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel C.
Any traffic destined for the Site A network (any address in the range 192.168.10.0 to
192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its
destination – Tunnel A from Site B will ensure this.

Managing VPN Systems
The following sections document how to:

Control VPNs

Open and close tunnels

Monitor and report tunnel activity
175

To configure automatic start up: 1 Navigate to the VPN > VPN > Control page. restart.Virtual Private Networking Managing VPN Systems • Display tunnel logging information • Update tunnel licensing. 2 Click Restart in the Manual control region. Manually Controlling the VPN System The following sections explains how to start. 176 . Starting/Restarting the VPN system To start or restart the VPN system: 1 Navigate to the VPN > VPN > Control page. This allows road warriors to tunnel in without having to wait for the system to be started. 2 In the Automatic control area. Automatically Starting the VPN System Advanced Firewall’s VPN system can be set to automatically start when the system is booted. 3 Click Save. stop and view the status of the VPN system. select Start VPN sub-system automatically. It also allows site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a site-to-site connection.

There are two possible system statuses: • Running – The VPN system is currently operational. communication across the tunnel can be made. • Remote IP – The IP address of the other end of the tunnel. Viewing and Controlling Tunnels All configured tunnels can be viewed and controlled from the VPN > VPN > Control page. • Closed – The tunnel is not connected. no tunnels can be connected. no communication across the tunnel can be made. The information displayed is: • Name – The name given to the tunnel. The information displayed is: • Name – The name given to the tunnel.Smoothwall Advanced Firewall Administrator’s Guide Stopping the VPN system To stop the VPN system: 1 Navigate to the VPN > VPN > Control page. • Remote IP – The IP address of the other end of the tunnel. • Control: • Up – Open the tunnel connection • Down – Close the tunnel connection. • Internal IP – The IP address of the local tunnel end. 2 Click Stop from the Manual control region. IPSec Road Warriors IPSec road warrior connections are shown in the IPSec road warriors region of the VPN > VPN > Control page. • Control: • Up – Open the tunnel connection • Down – Close the tunnel connection. There are two possible tunnel statuses: • Open – The tunnel is connected. Viewing the VPN system status To view the VPN system status: 1 Navigate to the VPN > VPN > Control page. IPSec Subnets Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN > Control page. • Stopped – The VPN system is not currently operational. 3 View the current status from the Current status information field. tunnels can be connected. • Control: 177 . 2 Click Refresh in the Manual control region. The information displayed is: • Name – The name given to the tunnel. L2TP Road Warriors L2TP road warrior connections are shown in the L2TP Road Warriors region of the VPN > VPN > Control page.

• Control • Up – Open the tunnel connection • Down – Close the tunnel connection. On the Create a tunnel with the following characteristics. leave it at its default value: 178 Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value.The following networks are to be routed together via a VPN tunnel: We will use Preshared Key authentication initially. SSL Road Warriors SSL road warrior connections are shown in the SSL Road Warriors region of the VPN > VPN > Control page. VPN Logging VPN log entries can be found in the Logs and reports > Logs > IPSec page. . • External IP – The IP address of the other end of the tunnel. • Internal IP – The IP address of the local tunnel end. Example 1: Preshared Key Authentication This first example begins with a simple two network VPN using shared secrets. the configuration settings in an example builds on that of the previous.e. • Internal IP – The IP address of the local tunnel end. VPN Tutorials The following tutorials cover the creation of the main types of VPN tunnels. This is the easiest to setup.Virtual Private Networking VPN Tutorials • Up – Open the tunnel connection • Down – Close the tunnel connection. Configuring Network A There is no need for a CA or any certificates. i. Where a parameter is not listed. This tunnel we call Tunnel 1. The examples build on each other. The information displayed is: • Username – The name given to the tunnel.

0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker All other settings can be left at their defaults.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker Creating a Zone Bridge In order for traffic to flow down the tunnel. To actually test that the VPN is routing. Note: When configuring multiple PSK-based tunnels. 179 . see Chapter 6. create a zone bridge between the local network and the IPSec interface. To create the zone bridge: 1 On the Networking > Filtering > Zone bridging page. use the User specified IP address as the remote system ID type and the remote system external IP in the Remote system ID Value. If this does not happen please refer to Appendix C. make the rule bidirectional. Configuring Network B Here a single tunnel is created: Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value.0. Because both ends are set as initiators. You should also be able to connect to servers and desktops on the remote network using your standard tools.0. ping a host on the remote network from a machine on the local one.1 Remote network 192. the tunnels should come up immediately.168. If you want traffic to flow in both directions.1 Remote network 192.Smoothwall Advanced Firewall Administrator’s Guide Parameter Description Local ID type Local IP Remote IP or hostname 200.0.0.0. Testing Restart the VPN system on both ends. For more information.12.168. Troubleshooting VPNs on page 331. Local ID type Local IP Remote IP or hostname 100. you must create a zone bridge. Configuring Inter-Zone Security on page 59.

and create the local certificate. enter it in both boxes. 180 . You will need to enter the passphrase to encrypt this certificate with. This time we will improve the setup by using x509 authentication instead of PSK. see Example 1: Preshared Key Authentication on page 178. We will Restart the VPN shortly to make this change active. of course. Configuring Network A Network A will be configured to be the Certificate Authority in the system. You should.p12.com Common Name Network B Cert Organization My Company Ltd Create both certificates. We will call this file ca.com Common Name Network A Local Cert The peer (the Network B machine) needs a certificate too: Parameter Description ID Type Host & Domain name ID Value tunnelb. we will list only the required fields. Now onto the tunnels page. and press Save. We will call this file tunnelb. In this example. You will need this file later. and save it on the local workstation’s hard disk.Virtual Private Networking VPN Tutorials Example 2: X509 Authentication In this example. the same network as used in Example 1 will be used.mycompany. enter values appropriate to your organization: Parameter Description Common Name Network A Cert Auth Organization My Company Ltd From now on.pem. It requires ID information: Parameter Description ID Type Host & Domain name ID Value tunnela. Switch to the certificates page.mycompany. Begin by going to the Authorities page and setting up the CA. Next you should export this certificate in PEM format. and then export the Network B Cert certificate in PKCS#12 format. we will enter My Company Ltd in all Organization fields on the certificates we create. Choose the Network A Local Cert certificate to be the Default local certificate.

168. The ID is the same as the Certificate ID.0. import the ca.1 Remote network 192. If you want traffic to flow in both directions. the most likely cause is a mismatch of IDs. import the tunnelb.p12 file you created earlier. Check the IDs in the certificates by clicking on them in the certificate page.com Authenticate by Certificate presented by peer Creating a Zone Bridge In order for traffic to flow down the tunnel. name Remote IP or hostname 100. Network B Cert as the Default local certificate and click Save. For more information. 2 On to the certificates page.1 Remote network 192. name Remote IP or hostname 200. Configuring Inter-Zone Security on page 59. see Chapter 6. If the tunnel fails to come up. 3 Chose the certificate. Local ID type Default local cert subject alt.Smoothwall Advanced Firewall Administrator’s Guide The tunnel specification is a little more complex.pem file. Examine the log for telltale messages.mycompany.168. make the rule bi-directional. Configuring Network B The first step is to import the certificates.mycompany. Local ID type Default local cert subject alt.0. restart both ends of the tunnel. you must create a zone bridge.12.0.0/24 Remote ID type Host & Domain name Remote ID value tunnel. create a zone bridge between the local network and the IPSec interface. On the Networking > Filtering > Zone bridging page.0/24 Remote ID type Host & Domain name Remote ID value tunnelb. Remember to input the passphrase used to create the export file in both boxes.0. Testing As before.0. 181 . The tunnel configuration should look like this: Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. To import the certificates: 1 On the Certificate authorities page. Here it is: Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value.com Authenticate by Certificate presented by peer Add the tunnel.

168. name Remote IP or hostname 250. We set the following properties for this certificate: Parameter Description ID Type Host & Domain name ID Value tunnelc. In Extended Site to Site Routing on page 174.168.0. Network C to the VPN network.mycompany.Virtual Private Networking VPN Tutorials Example 3: Two Tunnels and Certificate Authentication We will now add an additional system.0/24 .0.0/16 Local ID type Default local cert subject alt. Now we create a new tunnel to Advanced Firewall C: 182 Parameter Description Name Tunnel 2 Local subnet 192. we explained how to create centralized VPN hubs using extended subnetting. All settings are unchanged except: Parameter Description Local subnet 192.com Common Name Advanced Firewall C Cert Organization My Company Ltd Modify the existing tunnel to Network B. We want Network C to be able to access both the Network A subnet and Network B.0.0/16 Notice how this subnet mask now covers all subnets in the VPN. Network A Configuration Create a new certificate for the new peer.13.1 Remote network 192.168. and vice versa. We will use this technique to allow Network B to route to Network C. and export it as a PKCS#12 file.0.

see Chapter 6. 183 . After bringing up both tunnels.com Authenticate by Certificate presented by peer Network B Configuration Modify the tunnel as follows: Parameter Description Remote subnet 192. This road warrior will connect to the Network A gateway.168.0.0/16 Network C Configuration Import the certificate. In addition to being able to access the Network A local network (192.1 Remote network 192. For more information.com Authenticate by Certificate presented by peer Creating a Zone Bridge In order for traffic to flow down the tunnel. create a zone bridge between the local network and the IPSec interface. you must create a zone bridge. you should test by pinging a machine on the Network A end from both of the Network B and Network C networks. running SafeNet SoftRemote.0.0/24). If you want traffic to flow in both directions.168. and then create the tunnel to Network A: Parameter Description Name Tunnel 2 Local ID type Default local cert subject alt. Configuring Inter-Zone Security on page 59. name Remote IP or hostname 100. Example 4: IPSec Road Warrior Connection Now we will add a road warrior. the road warrior will be able to access Network B and Network C as well.0. Then you should test that you can route across Network A by pinging a host on the Network C network from the Network B network. make the rule bi-directional.mycompany. On the Networking > Filtering > Zone bridging page.Smoothwall Advanced Firewall Administrator’s Guide Parameter Description Remote ID type Host & Domain name Remote ID value tunnelc.mycompany.0/16 Remote ID type Host & Domain name Remote ID value tunnela. Testing Test in the same way as before.0.0.168.

184 . in this case: 192.pem.p12. We will call this file computercert.Virtual Private Networking VPN Tutorials The road warrior is required to assume an internal IP on Network A’s local network.5: Network A Configuration Create a certificate with the following properties: Parameter Description Common Name IPSec road warrior Organization My Company Ltd Note: No ID is required on this certificate. ca.0.You will also need the CA file.168.168.5 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Certificate provided by peer Export the certificate in PKCS#12 format.0/16 Local ID type Default local cert subject Client IP 192.0.0. Now create the IPSec road warrior tunnel: Parameter Description Name IPSec road warrior Local network 192.168.

begin by going to the Certificate Manager and importing the ca. This works both ways.0. you must create a zone bridge. which is on the installation CD. including detailed screen shots. This policy file contains most of the input fields pre-filled with suitable defaults.pem and the computercert. and so on. the simplest way is to ping a host on the network behind the gateway. policytemplate. create a zone bridge between the local network and the IPSec interface. This indicates that the tunnel is up. a machine on the local network can connect to the road warrior. Configuring Inter-Zone Security on page 59. compression for example. are given in Working with SafeNet SoftRemote on page 187. On the Networking > Filtering > Zone bridging page. you should be able to connect to all three. you should see the task bar icon change to show a yellow key. Full details.168. remember to save the Security Policy.0. Your client computer will then appear to be connected to the local network behind the VPN gateway.0.Smoothwall Advanced Firewall Administrator’s Guide SoftRemote – Configuration This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. import the template policy. For more information.255.0 Mask 255. If you use different settings to those described in this tutorial. make the rule bidirectional.5 After making the changes.p12 certificate.1 Subnet 192. 185 . Creating a Zone Bridge In order for traffic to flow down the tunnel. Also.0.168. If you want traffic to flow in both directions. After a few retries. The following fields need to be filled in after importing the policy template. In the Security Policy Editor. In road warrior: Parameter Description Gateway IP Address 100. see Chapter 6. After installing the client. You should be able to browse web servers.spd.0. then you will have to modify those settings. and will save a lot of time configuring the client. Testing To bring up the connection. because the tunnel covers all three local networks.0 In My Identity: Parameter Description Internal Network IP Address 192.

186 . L2TP Client Configuration This tutorial only outlines the process of configuring an L2TP client. ca. Network A Configuration Create a certificate with the following properties: Parameter Description Common Name L2TP road warrior Organization My Company Ltd Note: No ID is required on this certificate. You will also need the CA file.0. Now create the L2TP road warrior tunnel: Parameter Description Name L2TP road warrior Authenticate by Certificate provided by peer Client IP 192. this time running Microsoft Windows XP and using Microsoft’s L2TP road warrior client.6 Username road warrior Password microphone Export the certificate in PKCS#12 format.168. see Installing an L2TP Client on page 158. For detailed instructions.Virtual Private Networking VPN Tutorials Example 5: L2TP Road Warrior This example consists of an additional road warrior client.pem. We will call this file computercert.p12.

On the VPN > VPN > IPSec roadwarrior page. make the rule bi-directional. Then add the tunnel.Smoothwall Advanced Firewall Administrator’s Guide Begin by using the L2TPWizard to import the two certificates. Working with SafeNet SoftRemote The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote. enter the username and password as configured on the Advanced Firewall A gateway: Parameter Description Username road warrior Password microphone Finally. the only details that must be configured is the VPN gateway external address. For more information. It will be possible to route to other subnets. Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This option. press the Connect button to initiate a connection the Advanced Firewall A VPN gateway. In TCP/IP properties. or statically assigned machines such as servers. and overriding the default local certificate. This is because the L2TP client does not provide any facilities for setting up remote network masks. enabled by default. Each road warrior requires their own tunnel.0. In the Connection dialog. 100. although it does no harm to include one when creating the certificate. and set the Authenticate by setting to the certificate for this road warrior connection.1 in this example. An ID type is not normally required. including VPN-connected ones. create a zone bridge between the local network and the L2TP interface. you would choose a group of IP addresses outside of either the DHCP range. Creating a Zone Bridge In order for traffic to flow down the tunnel. Such an IP address must be in a local network zone and currently unused. see Chapter 6. each road warrior client will. is required if the client needs to be able to route to the Advanced Firewall B and Advanced Firewall C networks. Typically. Each road warrior user will need their own IP address. This also means that other machines in the network can see the client. This includes the encryption settings. the Client IP field is used to input the particular local network IP address. Set the Local ID type to Default local cert Subject. so create as many tunnel as there are road warriors. be on the local network zone. The IP address should be a previously unused address and unique to the road warrior. After bringing up the New Connection wizard. Advanced settings. to all intents and purposes.0. 187 . Configuring Inter-Zone Security on page 59. just as if it was plugged in directly. When connected. When connected. each road warrior gets an IP address in a specified local network zone. If you want traffic to flow in both directions. create a signed certificate for the road warriors. you must create a zone bridge. Configuring IPSec Road Warriors First. On the Networking > Filtering > Zone bridging page. you can choose to use the remote network as the default gateway for the L2TP client.

NAT-T is handled automatically by this client. saving you from the chore of doing it yourself. 5 Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients. import a CA . those described above. Configuration of Zone Alarm will not be covered in this manual. This indicates the certificate is valid.e. In the road warrior section: 6 Enter the Remote Subnet. Specifically. 3 Next. only a handful of settings must be entered. After importing this policy.P1. import a . You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). However. we will also describe how you would setup the client without the policy. and a short time later the certificate should appear in the list. 1 After installation. We also recommend that the LT versions of this software be used. Check the log messages in the client to see if NAT-T mode is being used as expected. you should consider upgrading to at least version 9 because of known securityrelated problems with version 8. 188 .Virtual Private Networking Working with SafeNet SoftRemote Using the Security Policy Template SoftRemote This documentation covers version both 9 and version 10 of this client. Open it. you may use a Security Policy template. that will pre-fill most of the settings to suitable values.spd. which can be found in the extras folder on the installation CD. and click Verify (on the right). i.PEM from Advanced Firewall. 4 Import the Security Policy template. version 8 is known to work as well as version 9. create a connection in the Security Policy Editor. Enter the export password. a single connection. which do not incorporate Zone Alarm. named road warrior will become available. Older versions which support Virtual IP addresses should also inter-operate. policytemplate. 2 In the My Certificates tab. Mask and the gateway’s hostname (or IP address). Select the certificate. In the Root CA’s tab. open the Certificate Manager. No extra configuration is required. For completeness. To make configuration of this client easier.

For instance. 2 Now go back to the tree control on the left and choose the New Connection node. Before creating the connection. then you will have to enable it in the client. A window will appear. like road warrior. and you should tick the box marked Allow to specify internal network address. and close the Security Policy Editor. if you are using compression. as described in D. 10 To bring up the connection to the Advanced Firewall gateway. you must send it a packet.Smoothwall Advanced Firewall Administrator’s Guide 7 In the My Identity section. Obviously. you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway. In this node. The easiest way to do this is by pinging a host on the remote network. 1 Select Global Policy Settings from the Options menu.: 8 Enter the Internal Network IP Address. All other fields will be pre-filled. Creating a Connection without the Policy File We will now describe how to setup the client without using the security policy template. 9 Save the settings. After a series of Request timed out messages you should start to get packets back. You can rename this to something more appropriate. if you are not using standard settings.1. enter the Internal Network IP Address. 189 . indicating that the VPN is up (you will also notice the system tray icon change). configure the remote Subnet address and Mask. then you will have to modify those particular settings.

and select an ID Type of Any. 6 Create a new Phase 1 security policy: Select 3DES encryption. This time period has to be less then the equivalent setting in the Advanced Firewall.Virtual Private Networking Working with SafeNet SoftRemote 3 Choose Secure Gateway Tunnel from the Connect using drop-down list. which defaults to 60 minutes (3600 seconds). another word for the subject of a certificate. and choose a SA Life of 3000 seconds. This is 190 . You should then enter either a Gateway IP Address or Gateway Hostname. 5 In the Internal network IP. Select the certificate you imported earlier. move to the My Identity node. Virtual adapter should be disabled. enter the local network zone IP address (the Client IP) that was specified when the tunnel was created. Set the key group to 5. will suffice. 4 Next. and Internet Interface set to Any. The ID type’s default. and MD5 as the hashing algorithm. the Distinguished Name.

Note that this setting is a network address.168. if you wish to restrict the connected road warriors so that they can only contact a specific IP address. Tick the ESP box. set the SA Life to 3000 seconds.10. Advanced Configuration Using the configuration previously described. 8 Once again. the Local network setting can likewise be expanded to cover them. 7 Finally create a Phase 2 security policy. This method is usually desired. then you could set the Local network parameter to 192. In this page you can select compression or not. especially if the client certificates are not installed onto the VPN gateway server. so you must always specify a network mask.10/32. but in other cases an Authenticate by setting of Certificate provided by peer can be more useful. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. in a tunnel. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones. as well as key life settings. Diagnostic logs are available through the tool bar icon. This is done by adjusting the Local network parameter in the tunnel configuration. 191 .2. Visit the support portal and knowledge base for information on setting up other clients. for example 192. and again 3DES and MD5.168.Smoothwall Advanced Firewall Administrator’s Guide necessary to ensure the tunnel is always re-keyed. 9 Test as before. by initiating a connection to a host on the Remote Network. even if that network mask covers only a single host.2. For example. the selected certificate will be required by the client in order to obtain a connection.

Virtual Private Networking Working with SafeNet SoftRemote 192 .

To configure log-in and logging settings: 1 Navigate to the Services > Authentication > Settings page.Chapter 10 Authentication and User Management In this chapter: • Configuring global authentication settings • Working with directory servers • Managing groups of users • Managing temporarily banned users • Viewing user activity • About SSL login • Managing Kerberos keytabs • Using WPA Enterprise Configuring Global Authentication Settings Configuring global authentication settings entails setting login timeout. 193 . the number of concurrent login sessions allowed and the type of authentication logging you require.

Accept the default or enter the time out period. the SSL Login refresh rate will update to ensure that authenticated users do not time-out. response and result information. request. For more information. The following options are available: Logging level Logging levels determine the type of authentication logging you want. About Directory Servers The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to multiple directory servers in order to: • Retrieve groups configured in directories and apply network and web filtering permissions to users based on group membership within directories • Verify the identity of a user who is trying to access network or Internet resources. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. The following options are available: No limit – Select this option to allow an unlimited number of logins per user or enter the number of logins you want to allow users. Concurrent login sessions (per user) Concurrent login settings determine how many logins are allowed per user. permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. Verbose – Select this option to log user login and LDAP server information. particularly when using transparent NTLM or SSL Login. Once the connection to a directory service has been configured. This option is useful when troubleshooting possible authentication issues. Note: Setting a short login timeout increases the load on the machine. It also increase the rate of re-authentication requests. Tip: Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur. About the Login Time-out on page 302. When the groups have been mapped. 3 Click Save changes.Authentication and User Management About Directory Servers 2 Configure the following settings: Setting Description Login timeout (minutes) Determines the length of time of inactivity after which a user is logged out. The behavior of some authentication mechanisms is automatically adjusted by the time-out period. 194 . Advanced Firewall retrieves a list of the groups configured in the directory and maps them to the groups available in Advanced Firewall. Normal – Select this option to log user login and LDAP server information. Advanced Firewall applies the changes. see Appendix A. For example.

Note: We strongly recommend that you do not use an administrator account. Currently. see Appendix A. and optionally the secondary. choose or configure a non-privileged user account to use for joining the domain. for more information. Advanced Firewall and DNS on page 302. This DNS server is used by Advanced Firewall for name lookups. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized using NTP. see Configuring a RADIUS Connection on page 199. • In Active Directory. Setting Time on page 269 for more information. For information on using the legacy method to connect to Active Directory. Novell eDirectory Apple/Open LDAP Various directories which support the LDAP protocol. choose Delegate Control on the Computers container. see Appendix A. see Configuring a Microsoft Active Directory Connection on page 195. Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Advanced Firewall to work with Microsoft Active Directory. 195 . For more information. see Configuring an Active Directory Connection – Legacy Method on page 200. See Chapter 13. create a custom task to delegate and. see Configuring an LDAP Connection on page 196 389 Directory RADIUS Remote Authentication Dial In User Service. The account that you use needs permission to modify the Computers container. when backing-up and replicating settings. Configuring Directories The following sections explain how to configure Advanced Firewall for use with supported directory servers. check that the primary. see Configuring a Local Users Directory on page 203. for instance. Authentication on page 301. for more information. for more information.Smoothwall Advanced Firewall Administrator’s Guide For information on how authentication works and interacts with other systems. Advanced Firewall stores this account’s credentials. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • On the Networking > Interfaces > Interfaces page. Advanced Firewall supports the following directory servers: Directory Description Microsoft Active Directory Microsoft’s Active Directory. To delegate these permissions to a non-privileged user account. for Computer objects. create and delete privileges. grant the full control. for more information. Local users A directory of Advanced Firewall local users. DNS server containing the Active Directory information is specified correctly.

Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. . click Add new directory. enter a comment about the directory. Apple/OpenLDAP Directory or 389 Directory and configure the following settings: 196 Setting Description Status Select Enabled to enable the connection. Advanced Firewall adds the directory to its list of directories and establishes the connection. Managing Tenants on page 275. select Active Directory and configure the following settings: Setting Description Status Select Enabled to enable the connection. To configure the connection: 1 On the Services > Authentication > Directories page. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. Cache timeout (minutes) Click Advanced. Configuring an LDAP Connection The following section explains what is required to configure a connection to an eDirectory. Click Add. Comment 3 Optionally. select one of the following: eDirectory. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. Note: Setting a short cache timeout increases the load on the directory server. 2 In the Add new directory dialog box. Confirm Re-enter the password to confirm it. Tenants Optionally. Domain Enter the full DNS domain name of the domain.e. 2 In the Add new directory dialog box.Authentication and User Management Configuring Directories Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. To configure an LDAP connection: 1 On the Services > Authentication > Directories page. For more information on tenants. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. i. contact your Smoothwall representative. select which tenant(s) use this directory. Password Enter the password for the user account. click Add new directory. Apple/ OpenLDAP or 389 directory server. Username Enter the username of the user account. Other trusted domains will be accessible automatically. until the cache timeout has been passed. For more information on licensing. see Chapter 13. Setting a long cache timeout means that old passwords are valid for longer.

Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. enter the Kerberos realm. when not using Kerberos.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Tenants Optionally. contact your Smoothwall representative. 197 .cn=users. Username Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Kerberos – Select to use Kerberos authentication. For more information on licensing. Simple bind – Select to bind without encryption. Password Enter the password of a valid account. Note: A password is not required if using simple bind as the bind method. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user. Bind method Accept the default bind method. Normally it should look something like this: cn=user.ou=container. the LDAP username can be written as: uid=user. For more information on tenants.o=organization This is what is referred to in the Novell eDirectory as tree and context. Confirm Re-enter the password to confirm it. This is frequently used by directory servers that do not require a password for authentication. Managing Tenants on page 275.o=organization For Apple Open Directory.ou=sales. Use capital letters. LDAP server Enter the directory’s IP address or hostname. Note: If using Kerberos as the bind method. select which tenant(s) use this directory. select one of the following options: TLS (with password) – Select to use Transport Layer Security (TLS). you must enter the hostname.dc=example.dc=org Consult your directory documentation for more information. Kerberos realm If using Kerberos. see Chapter 13. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. or from the drop-down list.

the user search root can be narrowed down by adding ou=userunit in front of the domain base.dc=example.Authentication and User Management Configuring Directories Setting Description User search root Enter where in the directory. Usually. If there are multiple OUs containing groups that need to be mapped. Enter one search roots per line. Working with Large Directories on page 303. Some directories will not return more than 1000 results for a search.dc=mydomain. The principle is the same as with the user search root setting.dc=org Note: With larger directories. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users.dc=local In LDAP form. Usually this will be the same location as configured in the user search root field.dc=org A Novell eDirectory will refer to this as the tree. For example: ou=mygroups. For more information. For example. it may be a good idea to narrow down the user search root so Advanced Firewall does not have to look through the entire directory. Note: When working with multi domain environments. taking the same form as the OpenLDAP-based directories o=myorganization. Group search roots Enter where in the directory.dc=example. Extra user search This option enables you to enter directory-specific user search paths when roots working with a large directory structure which contains multiple OUs and many users. this is the top level of the directory. this is seen in the directory as dc=mycompany. Enter one search root per line. Cache timeout Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. see Appendix A. a more specific group search root needs to be configured.dc=local Apple Open Directory uses the form: cn=groups. add the other locations in the advanced section. Advanced Firewall should start looking for user accounts. For example: ou=myusers. LDAP port Accept the default or enter the LDAP port to use.dc=mydomain. the user search root must be set to the top level domain.dc=local. so if there are more than 1000 groups in the directory. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. enter where in the directory Advanced Firewall should start looking for more user groups. Advanced Firewall should start looking for user groups. Extra group search roots Optionally. if all users that need to be authenticated have been placed in an organizational unit. 198 . Note: LDAPs (SSL) will be automatically used if you enter port number 636. Note: In larger directories. it may be necessary to narrow down the group search root.

Click Add. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same.org kdc. select which tenant(s) use this directory. Configuring the Connection To configure the connection: 1 On the Services > Authentication > Directories page. contact your Smoothwall representative. Use the following format: <realm><space><kdc server> For example: example. Comment 3 Optionally. Configuring a RADIUS Connection You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. see Chapter 13.example. For more information on tenants. Only available if you have selected Kerberos as the authentication method. Confirm Re-enter the secret to confirm it.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extra realms This setting enables you to configure subdomains manually using DNS. enter a comment about the directory.org Enter one realm per line. Discover Kerberos realms select this advanced option to use DNS to discover Kerberos realms. 199 . Secret Enter the secret shared with the server. click Add new directory. select RADIUS and configure the following settings: Setting Description Status Select Enabled to enable the connection. Prerequisites Before you configure any settings: • Configure the RADIUS server to accept queries from Advanced Firewall. Advanced Firewall adds the directory to its list of directories and establishes the connection. Managing Tenants on page 275. Tenants Optionally. through DNS Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. RADIUS server Enter the hostname or IP address of the RADIUS server. For more information on licensing. 2 In the Add new directory dialog box. Consult your RADIUS server documentation for more information. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page.

Obtain groups from RADIUS If the RADIUS server can provide group information. For more information. Advanced Firewall will use group information from the next directory server in the list. If there are no other directories in the list. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. preventing the account from being used by the authentication service. select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. enter a comment about the directory. for example when using an authentication token. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. For a simpler method. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. Advanced Firewall adds the directory to its list of directories and establishes the connection. if it must be different to the internal IP address of the system. • Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. Advanced Firewall and DNS on page 302 and the Advanced Firewall Installation and Setup Guide. Often the administrator account will not have a Windows 2000 username. Note: Do not use the administrator account as the lookup user. The default is port 1812. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Advanced Firewall to work with Microsoft Active Directory. we recommend that you use the latest method. Configuring an Active Directory Connection – Legacy Method Note: This is the legacy method of configuring an Active Directory connection. Advanced Firewall will place all users in the Default Users group. 200 . Identifying IP address Enter the IP address to use to identify the caller connecting to the RADIUS server. This DNS server is used by Advanced Firewall for name lookups.Authentication and User Management Configuring Directories Setting Description Action on login failure Try next directory server – Select this option if users in RADIUS are unrelated to users in any other directory server. see Configuring a Microsoft Active Directory Connection on page 195 for more information. see Appendix A. When not enabled. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • Run the Advanced Firewall Setup program and check that the DNS server containing the Active Directory information is specified correctly. Deny access – Select this option if the RADIUS password should override the password set in another directory server. Click Add. Comment Optionally. 3 Port Accept the default port or specify a UDP port to use when communicating with the RADIUS server.

Kerberos realm Optionally. 2 In the Add directory server area. Enter the username without the domain. Username Enter the username of a valid account. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. select which tenant(s) use this directory. Note: For Microsoft Active Directory. For more information on licensing. Managing Tenants on page 275. select Automatic or enter the Kerberos realm. Active Directory server Enter the directory server’s full hostname. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. see Chapter 13. Tenants Optionally. until the cache timeout has been passed. select Active Directory and click Next. Note: Setting a short cache timeout increases the load on the directory server. Setting a long cache timeout means that old passwords are valid for longer. Advanced Firewall and DNS on page 302 for more information. Often. contact your Smoothwall representative. search roots and any advanced settings required. Confirm Re-enter the password to confirm it. Appendix A.e. the username must be a user in the top level domain. Advanced Firewall displays the settings for Active Directory. see Appendix A. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. The domain will be added automatically by Advanced Firewall. 201 . For more information on tenants. For more information. these will be the same servers that hold the Active Directory. To configure the connection: 1 Navigate to the Services > Authentication > Directories page. Advanced Firewall requires DNS servers that can resolve the Active Directory server hostnames. i. Password Enter the password of a valid account. Active Directory on page 303. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. 3 Configure the following settings: Setting Description Status Select Enabled to enable the connection.Smoothwall Advanced Firewall Administrator’s Guide Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. In a multi domain environment. from the Directory server drop-down list.

Enter search roots one per line. Enter the sAMAccountName to override the userPrincipleName. to configure Advanced Firewall to start looking for user accounts at the top level of the directory. 202 . Note: When working with multi-domain environments. select Automatic. also known as NetBIOS domain name or preWindows 2000 domain name. Enabled Select this option to enable the connection to the directory server. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup.dc=local Note: Some directories will not return more than 1 000 results for a search. see Appendix A. Working with Large Directories on page 303. so if there are more than 1 000 groups in the directory.Authentication and User Management Configuring Directories Setting Description User search root Optionally. Or enter the group search root to start looking in. Use This setting applies when using Microsoft Windows NT4 or older sAMAccountName installations. select Automatic. Optionally. click Advanced to access and configure the following settings: Setting Description LDAP port Accept the default. enter a comment about the directory server and the settings used.dc=local search root. Extra user search roots This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. to configure Advanced Firewall to start looking for user groups at the top level of the directory. realms through Using DNS to discover realms configures Advanced Firewall to try to find all DNS the domains in the directory server by querying the DNS server that holds the directory information. NetBIOS workgroup This setting applies when using NTLM authentication with Guardian. or enter the LDAP port to use. Discover Kerberos Select this option to use DNS to discover Kerberos realms. enter where in the directory. the user search root must be set to the top level domain. Group search root Optionally. For more information. Extra group search Optionally. for example: ou=mygroups. for example: ou=myusers. Advanced Firewall should start roots looking for more user groups. is not the same as the Active Directory domain.dc=mydomain.dc=mydomain. 4 Comment Optionally. Enter search roots one per line. Or enter the user search root to start looking in. a more specific group search root needs to be configured.

example. 2 Repeat the step above for any other directories you want to move. Reordering Directory Servers Tip: If most of your users are in one directory. For more information on tenants.org Enter one realm per line. click Add new directory. Click Add. 3 Click Save moves. list the RADIUS server first. If user passwords are checked by a RADIUS server and group information is obtained from LDAP. Advanced Firewall adds the directory to its list of directories. To configure a local users directory: 1 On the Services > Authentication > Directories page. using DNS. passwords and group membership in local user directories so as to provide a standalone authentication service for network users. For more information on licensing. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. list that directory first so as to reduce the number of queries required. Use the following format: <realm><space><kdc server> For example: example. see Chapter 13. 5 Click Add. Comment Optionally. see Managing Local Users on page 204.org kdc. enter a comment about the directory. Advanced Firewall applies the changes. For information on adding and managing local users.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extra realms This setting enables you to configure subdomains manually. Managing Tenants on page 275. contact your Smoothwall representative. 3 Name Accept the default name or enter a new name. select which tenant(s) use this directory. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. 203 . select the directory server you want to move and click Up or Down until the server is where you want it. as opposed to automatically. To reorder directory servers: 1 On the Services > Authentication > Directories page. select Local users and configure the following settings: Setting Description Status Select Enabled to enable the connection. Configuring a Local Users Directory Advanced Firewall stores user account information comprised of usernames. 2 In the Add new directory dialog box. Tenants Optionally. Advanced Firewall adds the directory to its list of directories and establishes the connection.

Password Enter the password associated with the user account. Deleting a Directory Server To delete a directory server: 1 On the Services > Authentication > Directories page. point to the directory server and click Diagnose. user account and status information. configure the following settings: 204 Setting Description Enabled Select to enable the user account. Advanced Firewall displays any current local users 2 Click Add new user. Managing Local Users Advanced Firewall stores user account information comprised of usernames.Authentication and User Management Managing Local Users Tip: You can also drag and drop directories to where you want them. Adding Users To add a user to a local user directory: 1 On the Services > Authentication > Directories page. Advanced Firewall applies the changes. point to the directory server and click Edit. Passwords must be a minimum of six characters long. point to the directory server and click Delete. see Configuring Directories on page 195 for information on the settings available. . 2 Make the changes required. The Edit directory dialog box opens. To diagnose a directory: 1 On the Services > Authentication > Directories page. When prompted. Advanced Firewall displays current directory connection. Tip: You can diagnose multiple directories at the same time. In the Add new user dialog box. Advanced Firewall deletes the server. Select the directories and click Diagnose. Username Enter the user account name. click on the local user directory you want to add a user to. confirm that you want to delete the directory. Diagnosing Directories It is possible to review a directory’s status and run diagnostic tests on it. Just remember to click Save moves. 3 Click Save changes. Editing a Directory Server To edit a directory server: 1 On the Services > Authentication > Directories page. passwords and group membership in local user directories so as to provide a standalone authentication service for network users.

In the Add new group mapping dialog box. 205 .Smoothwall Advanced Firewall Administrator’s Guide Setting Description Repeat password Re-enter the password to confirm it. Advanced Firewall creates the mapping. configure the following settings: Setting Description Directory service From the drop-down list. See Adding Users on page 204 for more information on the settings available. Advanced Firewall saves the information. 3 Click Save changes. When prompted. Editing Local Users To edit an existing user's details: 1 On the Services > Authentication > Directories page. make the changes required. group Tip: You can filter the groups shown by entering parts of group names in this field. Click Add. 2 Point to the user account and click Edit. 3 Repeat the steps above to delete other accounts. Advanced Firewall displays current local users. 4 Repeat the steps above to add more users. 2 Click Add new group mapping. Advanced Firewall displays any current group mappings. confirm that you want to delete the account. Deleting Users To delete users: 1 On the Services > Authentication > Directories page. select the directory group(s) you want to map. you can map the groups Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the users in the groups. click on the directory that contains the group you want to map. select a group to assign the user account to. To map directory groups to Advanced Firewall groups: 1 On the Services > Authentication > Directories page. In the Edit user dialog box. 3 Click Add. Select group From the drop-down menu. 2 Point to the user account and click Delete. click on the local user directory containing the user account(s) you want to delete. select the Advanced Firewall group you want to map the directory service group(s) to. Advanced Firewall deletes the account. click on the local user directory containing the user account you want to edit. 3 Local group From the drop-down list. Enabled Select to enable the mapping. Advanced Firewall applies the changes. Advanced Firewall displays current local users. Mapping Groups Once you have successfully configured a connection to a directory.

click on the directory that contains the group you want to remap. the user is added to the Banned users group. To remap groups: 1 On the Services > Authentication > Directories page. confirm the deletion by clicking Delete Advanced Firewall deletes the mapping(s). To ban an account temporarily: 1 206 Navigate to the Services > Authentication > Temporary bans page. Managing Temporarily Banned Users Advanced Firewall enables you to temporarily ban specific user accounts. . When temporarily banned. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. To delete one or more group mappings: 1 On the Services > Authentication > Directories page. When prompted. In the Edit group mapping dialog box. click on the directory that contains the mapping(s) you want to delete. Advanced Firewall displays the current group mappings. Administrative User Settings on page 274. 3 Click Save changes. see Chapter 13. Advanced Firewall remaps the group(s). See Mapping Groups on page 205 for more information on the settings available. Advanced Firewall displays the current group mappings.Authentication and User Management Managing Temporarily Banned Users Remapping Groups It is possible to change group mappings. remap the group(s) as required. Deleting Group Mappings It is possible to delete group mappings. For more information. Note: You can apply any web filtering policy to the Banned users group. 2 Point to the group and click Edit. 2 Select the mapping(s) and click Delete.

Removing Expired Bans To remove bans which have expired: 1 Navigate to the Services > Authentication > Temporary bans page. Removing Temporary Bans To remove a ban: 1 Navigate to the Services > Authentication > Temporary bans page. select the ban and click Remove. enter a comment explaining why the account has been banned. 2 In the Current rules area. Comment Optionally. Advanced Firewall removes the ban. Ban expires Click and select when the ban expires. Managing Block Pages on page 101 for more information. configure the following settings: Setting Description Status Select Enabled to enable the ban immediately. Advanced Firewall removes all bans which have expired. 3 Click Add. See Chapter 7. In the Add new temporary ban dialog box.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Add new temporary ban. Tip: There is also a ban option on the Services > Authentication > User activity page. Tip: You can edit the block page displayed to banned users so that it gives them information on the ban in force. 207 . see Managing User Activity on page 208. Username Enter the user name of the account you want to ban. click Remove all expired. 2 In the Current rules area. Advanced Firewall enforces the ban immediately. for more information.

see Creating a Temporary Ban on page 206. Advanced Firewall copies the user’s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. . Viewing User Activity To view activity: 1 Navigate to the Services > Authentication > User activity page. Advanced Firewall logs the user out immediately and lists them as logged out. Connectionbased authentication will automatically log the user back in. Banning Users To ban a user: 1 208 On the Services > Authentication > User activity page. point to the user you want to log out and click Log user out. For more information. Advanced Firewall displays who is logged in. Note: Logging a user out is not the same as blocking a user from accessing web content. they will be prompted to authenticate again. Recently logged out users are listed for 15 minutes. the group(s) the user belongs to their source IP and the method of user authentication. who recently logged out. If the user is using SSL login.Authentication and User Management Managing User Activity Managing User Activity Advanced Firewall enables you to see who is logged in and who has recently logged out. Logging Users Out To log a user out: 1 On the Services > Authentication > User activity page. point to the user you want to ban and click Ban user. You can also log users out and/or ban them.

209 . Advanced Firewall uploads the file and makes it available on the SSL login page. and prompted for their user credentials. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user. it is possible to customize the title image. background image and message displayed on an SSL login page.Smoothwall Advanced Firewall Administrator’s Guide About SSL Authentication Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized. The SSL Login page can be manually accessed by users wishing to pro-actively authenticate themselves. locate and select the file. or where only a small subset of users require authentication. Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. To upload a custom title image: 1 Browse to the Services > Authentication > SSL login page. When an authenticated user logs out or exceeds the time-out limit. 2 Click the Title image Browse/Select file button. When SSL Login is configured. thus allowing SSL Login redirection to be bypassed for authenticated users. group bridging. for example. per-user basis. Using your browser’s controls. network users requesting port 80 for outbound web access will be automatically redirected to a secure login page. 3 Click Save changes. typically where they need to use a non-web authentication-enabled service. the SSL Login page. Customizing the SSL Login Page When using SSL as an authentication method. the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login.

To review the SSL Login page: 1 210 In the web browser of your choice.141:442/login. Removing Custom Files To remove a custom file: 1 Browse to the Services > Authentication > SSL login page. 2 To remove the title image. Advanced Firewall uploads the file and makes it available on the SSL login page. To upload a background image: 1 On the Services > Authentication > SSL login page. https:// 192. click Delete.72.72. locate and select the file. adjacent to Title image.168. Using your browser’s controls. For example: http://192. Reviewing SSL Login Pages You can review SSL Login pages.168. click Delete. 3 To remove the background image. . enter your Advanced Firewall system’s IP address and /login. 2 In the Customize SSL Login area.Authentication and User Management About SSL Authentication Customizing the Background Image It is possible to customize the background image used on an SSL login page. 3 Click Save changes to apply the new message. 2 Click Save changes. adjacent to Background image. using HTTPS.141/login or. To customize the login message: 1 Navigate to the Services > Authentication > SSL login page. click the Background image Browse/Select file button. enter your custom message in the SSL login page text box. Customizing the Message It is possible to provide users with a customized message. Advanced Firewall displays the SSL login page.

Tip: This option is useful when avoiding requiring servers to authenticate. the SSL login redirection section will not be available. SSL Login authentication is configured on a per-interface basis. For more information on web proxy authentication policies. Advanced Firewall enables SSL Login on the selected interfaces. enter an IP address.Smoothwall Advanced Firewall Administrator’s Guide Configuring SSL Login Note: If you add Guardian3 to an Advanced Firewall installation which does not have SSL login configured. In the Redirect exception addresses field. 2 In the SSL login redirection area. ensure that SSL Login redirection is not enabled both on interface(s) on this page and in a web proxy authentication policy. To create an SSL login exception: 1 Browse to the Services > Authentication > SSL login page. Creating SSL Login Exceptions SSL Login exceptions can be created in order to prevent certain hosts. select each interface on which you want to activate SSL Login. ranges of hosts or subnets from being automatically redirected to the SSL Login page. 3 Click Save changes. To configure SSL Login: 1 Navigate to the Services > Authentication > SSL login page. If you add Guardian3 to an Advanced Firewall installation which already has SSL login configured. see the Guardian3 Administrator’s Guide. IP range or subnet that should not be redirected to the SSL Login. 2 Locate the SSL login redirection area. 211 . 3 Repeat the step above on a new line for each further exception you want to make. 4 Click Save changes.

available at the time of writing. File Using your browser. such as authentication.microsoft.aspx which discusses how to get a keytab from Active Directory.10%29. For information on using Kerberos as the authentication method in authentication policies. To add a keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. can use the interoperability features provided by Kerberos. Kerberos keys are managed automatically. Advanced Firewall services. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area. see http://technet. 2 Click Add new keytab and configure the following settings: Setting Description Status Accept the default setting to enable the keytab. consult the documentation delivered with your directory server. For other directory servers.com/en-us/library/ cc753771%28v=WS. Name Enter a descriptive name for the keytab. see the following section for information on how to do this. By importing and using Kerberos keytabs. locate and select the keytab. Also. 3 Click Add. 212 . see Chapter 6. 4 Repeat the steps above for any other keytabs you need to import.Authentication and User Management Managing Kerberos Keytabs Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication. enter a comment to describe the keytab. it is necessary to import keytabs manually. Creating Authentication Policies on page 67. Comment Optionally. For information on generating keytabs. Adding Keytabs The following section explains how to add Kerberos keytabs into Advanced Firewall.

Using WPA Enterprise Advanced Firewall’s use of WPA Enterprise enables users to connect their own wireless devices to the network (known as ‘bring your own device’ or BYOD) and run applications with authentication that is unobtrusive. 2 In the Installed Kerberos keytabs area. you can configure your wireless network infrastructure to authenticate users using the RADIUS server so that users can use their Active Directory accounts as wireless client login details. clear the Enabled option. Viewing Keytab Content It is possible to view the contents of a Kerberos keytab. It is possible to disable a Kerberos keytab when required. edit and delete Kerberos keytabs. point to the keytab and select Edit. 3 In the Edit keytab dialog box.Smoothwall Advanced Firewall Administrator’s Guide Managing Keytabs The following sections explain how to enable. point to the keytab and select Edit. change the name as required and click Save changes. 2 In the Installed Kerberos keytabs area. Advanced Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. 3 When prompted to confirm the deletion. Disabling Keytabs Kerberos keytabs are enabled by default. click Delete. As a network administrator. To delete a Kerberos keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. Advanced Firewall deletes the keytab. view. Editing Keytabs It is possible to change the name of the Kerberos keytab file. To change the name of the Kerberos keytab file: 1 Browse to the Services > Authentication > Kerberos keytabs page. 2 In the Installed Kerberos keytabs area. Advanced Firewall displays the content. To view a Kerberos keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. Advanced Firewall links your organization's Active Directory domain to a RADIUS server. point to the keytab and select Edit. 3 In the Edit keytab dialog box. 2 In the Installed Kerberos keytabs area. when troubleshooting. Configuring WPA Enterprise comprises: 213 . point to the keytab and select Delete. To disable a keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. 3 In the Edit keytab dialog box. Click Save changes to save the setting. for example. Advanced Firewall disables the keytab. click the keytab’s display arrow.

see Configuring a Microsoft Active Directory Connection on page x Note: Local users are not supported. Some wireless access points require two separate settings for this. 3 Make a note of the shared secret for the wireless network. see Chapter 8. see Configuring Access Points on page 214 • Configuring Advanced Firewall to use WPA Enterprise. but there must be no routers between them. Note: On the access point. see Provisioning the Advanced Firewall Certificate on page 215 Pre-requisites • On Advanced Firewall. For more information. WPA2 is most secure. 4 Set Advanced Firewall as the RADIUS server for both authentication and accounting. see Chapter 6. manually making the Advanced Firewall CA certificate available to devices which cannot accept it when users authenticate to the wireless network. see Pre-requisites on page 214 • Setting up wireless access points to use Advanced Firewall as a RADIUS server. Switches are allowed. WPA2RADIUS or WPA2 with a separate option for RADIUS. see Configuring WPA Enterprise on page 215 • In some cases. WPA version 1 is also supported. You will need this when configuring WPA Enterprise on Advanced Firewall. For more information. the wireless network type may be referred to as: WPA2-Enterprise. To configure a wireless access point: 1 Log on to the wireless access point. Some wireless access points support WPA/WPA2 simultaneously. For more information. Guardian must be configured to use core authentication.Authentication and User Management Using WPA Enterprise • Checking that your network is configured as required. 2 Create or modify a wireless network to use WPA2 with 802. For more information. To support older hardware. For more information. DHCP on page 119 • Wireless access points must be on the same subnet as Advanced Firewall. nor is the legacy Active Directory authentication method. For more information. For more information on DHCP. Configuring Access Points Note: Consult the documentation delivered with your wireless access point for complete information on how to configure it in detail. 214 .1X. Advanced Firewall must be the DHCP server for that subnet • Users’ wireless devices must support WPA Enterprise with PEAP and MSCHAPv2 • For users to whom a web filtering policy applies. DHCP must be enabled and there must be a valid DHCP subnet configured. Creating Authentication Policies on page 67 • Advanced Firewall’s Active Directory authentication method must be used to authenticate users.

enter a comment to describe the access point. Comment Optionally. will be prompted to authenticate. click Download CA certificate. configure the following setting: 3 Setting Description Status Select Enabled to enable the access point. you can download the Advanced Firewall certificate to make it available in a way supported by the devices. Advanced Firewall applies the settings and lists the access point. Provisioning the Advanced Firewall Certificate Some devices may not automatically accept the Advanced Firewall certificate when users try to authenticate themselves to the wireless network. 2 Save the certificate in a secure location and consult the documentation provided with the device(s) as to how best install it on the device(s). 2 Click Add new access point. Users who now try to access the wireless network. 215 . for devices which do not automatically accept the Advanced Firewall certificate.Smoothwall Advanced Firewall Administrator’s Guide Configuring WPA Enterprise To configure WPA Enterprise: 1 Browse to the Services > Authentication > WPA Enterprise page. Name Enter a name for the access point. For those devices. IP address Enter the IP address of the access point. To provision the certificate: 1 On the Services > Authentication > WPA Enterprise page. Click Add. Shared secret Enter the secret that secures RADIUS communication between the access point and Advanced Firewall.n the Add new access point dialog box. Confirm Re-enter the shared secret to confirm it. Note: See Provisioning the Advanced Firewall Certificate on page 215.

Authentication and User Management
Managing Groups of Users

Managing Groups of Users
The following sections discuss groups of users and how to manage them.

About Groups
Advanced Firewall uses the concept of groups to provide a means of organizing and managing
similar user accounts. Authentication-enabled services can associate permissions and restrictions to
each group of user accounts, thus enabling them to dynamically apply rules on a per-user account
basis.
Local users can be added or imported to a particular group, with each group being organized to
mirror an organization’s structure. Groups can be renamed by administrators to describe the users
that they contain.
Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups:
Group

Description

Unauthenticated IPs

The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for
unauthenticated users, i.e. users that are not logged in, currently
unauthenticated or cannot be authenticated.
Note: This group cannot be renamed or deleted.

Default Users

Users can be mapped to Default Users. The main purpose of this group
is to allow certain authentication-enabled services to define permissions
and restrictions for users that are not specifically mapped to an
Advanced Firewall group, i.e. users that can be authenticated, but who
are not mapped to a specific Advanced Firewall authentication group.
Note: This group cannot be renamed or deleted.

Banned Users

This purpose of this group is to contain users who are banned from
using an authentication-enabled service.
Note: This group cannot be renamed or deleted.

Network
Administrators

This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by
authentication-enabled services to enforce any kind of permissions or
restrictions.

Adding Groups
It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000
groups.
To add a group:
1

On the Services > Authentication > Groups page, click Add new group.

2

In the Add new group dialog box, enter the following information:

216

Field

Description

Name

Enter a name for the group.

Comment

Optionally, enter a comment.

Smoothwall Advanced Firewall
Administrator’s Guide
3

Click Add. Advanced Firewall creates the group and lists on the changes.

Editing Groups
Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups
To edit a group:
1

On the Services > Authentication > Groups page, point to the group and click Edit.

2

In the Edit group dialog box, enter the following information:

3

Field

Description

Name

When renaming a group, enter a new name.

Comment

Edit or enter a new comment.

Click Save changes. Advanced Firewall applies the changes.

Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups
To delete a group or groups:
1

On the Services > Authentication > Groups page, select the group(s) and click Delete.

2

When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s).

217

Authentication and User Management
Managing Groups of Users

218

Chapter 11

Reporting
In this chapter:

About the Summary page

Working with Advanced Firewall reports

Managing datastore/log retention settings.

About the Summary Page
The summary page displays a customizable list of reports.
To access the summary page:
1

Navigate to the Logs and reports > Reports > Summary page.

Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 13, Configuring the User Interface on page 268.

Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every
aspect of Advanced Firewall.
To access reporting:
1

Navigate to the Logs and reports > Reports > Reports page.

219

Reporting
Generating Reports

Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
1

Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the
report you want to generate.

2

Click on the report to access its options. Advanced Firewall displays the options available.

Tip:

Click Advanced to see a description of the report, access advanced options and portal publication
permissions. For more information on publishing reports, see Chapter 8, Making Reports Available
on page 83.

3

If applicable, set the time interval for the report and enter/select any option(s) you require.

4

Click Run report to generate the report. Advanced Firewall displays the report.

Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
1

Generate the report, see Generating Reports on page 220.

2

When the report progress bar is displayed, click Cancel. Advanced Firewall cancels the report.

Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1

Generate the report, see Generating Reports on page 220.

2

In the Save as field, enter a name for the report and click Save. You can access the report on the
Logs and reports > Reports > Recent and saved page.

About Recent and Saved Reports
You can access all reports generated in the last three days on the Logs and reports > Reports >
Recent and saved page.
You can also save recently generated reports and change report formats on this page.

Changing Report Formats
Advanced Firewall enables you to change reports viewed and/or saved in one format to another.

220

Smoothwall Advanced Firewall
Administrator’s Guide
To change a report format:
1

Navigate to the Logs and reports > Reports > Recent and saved page.

2

Locate the report you want to change and click on the format you want to change the report to. The
following formats are available:
Format

Description

csv

The report will be generated in comma separated text format.

excel

The report will be generated in Microsoft Excel format.

pdf

The report will be generated in Adobe’s portable document format.

pdfbw

The report will be generated in black and white in Adobe’s portable document format.

tsv

The report will be generated in tab separated text (tsv) format.

Managing Reports and Folders
The following sections explain how to create, delete and navigate reports and folders in Advanced
Firewall.

Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in
a folder or sub-folder contained on the page.
To create a folder:
1

On the Logs and reports > Reports > Reports page, determine where you want to create the
folder, on the page or in an existing folder.

2

Click the Create a new folder button. Advanced Firewall creates the folder.

3

Enter a name for the folder and click Rename.

Deleting Folders
To delete a folder:
1

On the Logs and reports > Reports > Reports page, locate the folder.

2

Click the Delete button. Advanced Firewall deletes the folder.

Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete
the folder.

221

Reporting
Generating Reports

Deleting Reports
To delete a report:
1

Navigate to the Logs and reports > Reports > Recent and saved page.

2

Locate the report and click the Delete button.

Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8,
Making Reports Available on page 83.

Making Reports Available on Portals
You can make reports generated on one portal available on other portals.
To make the report available:
1

Navigate to the Logs and reports > Reports > Reports page and locate the report you want to
publish to portals.

2

On the Permissions tab, click Automatic Access.

3

In the Automatic Access area, from the Add access drop-down list. select the portal you want to
publish the generated report on and click Add.

4

Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.

222

Smoothwall Advanced Firewall Administrator’s Guide Scheduling Reports Advanced Firewall can generate and deliver reports to specified user groups at specified intervals. Weekday Repeat – The report will be generated and delivered at the specified time. starting on the specified date. Monday to Friday. If the report is to be repeated. once a week. enter the date on which the first report should be created and delivered. Comment Optionally. Select from the following options: No Repeat – The report will be generated and delivered once on the specified date at the specified time. Monthly Repeat – The report will be generated and delivered at the specified time. Repeat Scheduled reports can be generated and delivered more than once. Enabled Select to enable the scheduled report. Daily Repeat – The report will be generated and delivered once a day at the specified time starting on the specified date. starting on the specified date. Weekly Repeat – The report will be generated and delivered at the specified time. enter a description of the scheduled report. To schedule a report: 1 Navigate to the Logs and reports > Reports > Scheduled page. once a month. 223 . 2 Configure the following settings: Setting Description Start date Select the month and day on which to create and deliver the report. starting on the specified date. Time Select the hour and minute at which to deliver the report.

select how long to collate data for this report. Configuring Groups on page 254. Save report Select this option if you want to save the scheduled report after it has been generated. . Publish from portal Optionally.Reporting Managing Log Retention Setting Description Report From the drop-down list. select a portal to publish the report from. select the report. Report name Enter a name for the scheduled report. For more information. Report shows period From the drop-down list. Group From the drop-down list. select the group you want to deliver the report to. Click Add. 3 Email report Select this option if you want to email the report to a group of users. Advanced Firewall schedules the report and lists it in the Scheduled reports area. Managing Log Retention You can configure Advanced Firewall to retain logs for use in reporting and network troubleshooting. from the drop-down menu. To manage log retention: 1 224 Navigate to the Logs and reports > Settings > Datastore settings page. The report will be available on the Logs and reports > Reports > Recent and saved page. see Chapter 12.

If a log file is older than the minimum retention period specified.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Retention settings Use the slider’s start and end points to specify the minimum and maximum number of months Advanced Firewall should retain log files. because of a lack of disk space. Note: If. 3 Click Save changes to save the datastore settings. the minimum log retention is not possible. For example. Note: If. if the minimum retention period is set to 3 months and the maximum retention period is set to 6 months. Advanced Firewall will always keep log files for 3 months and. Advanced Firewall will stop working and display a warning. because of a lack of storage space. if there is available storage space. the minimum log retention is not possible. If a log file is older than the maximum retention period specified. will keep them for 6 months. Maximum – The maximum number of months possible is infinite. Advanced Firewall will stop working and display a warning. it will be deleted. 225 . it may be deleted if the available storage space starts to run out. Minimum – The minimum number of months possible is 0.

Reporting Managing Log Retention 226 .

registration and initial setup pages • Viewing. for example. Alerts and Logging In this chapter: • About the dashboard. To access the About page: 1 Browse to the bottom of the page you are on and click About. for example. Trigger conditions can be individual events. The dashboard displays service information. 227 . About the About Page The About page displays product. Overview Alerts are generated when certain trigger conditions are met. particularly those relating to critical failures. the second denotes the occurrence of an incident. an administrator login failure. It is possible to specify two trigger conditions for some alerts – the first acts as a warning alert. for example. To access the dashboard: 1 Browse to Dashboard. in more critical circumstances. and. external connectivity controls and a number of summary reports. UPS and power supply alerts. It also displays acknowledgements. registration. copyright and trademark information. Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. realtime information and log files. or a series of events occurring over a particular time period. a sustained high level of traffic over a five minute period. analyzing and configuring alerts. Some situations are constantly monitored.Chapter 12 Information. About the Dashboard The dashboard is the default home page of your Advanced Firewall system. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity.

Monitored once every five minutes. Monitored once an hour. or impending expiration dates.e. System Resource Monitor These alerts are triggered whenever the system resources exceed predefined limitations. or when failover machines are forced on and offline. Constant Monitoring Health Monitor Checks on remote services for activity. Constant monitoring. Monitored once every five minutes. Monitored once every five minutes. License expiry status warnings Generates messages when the license is due for renewal or has expired. Monitoring is constant. starts or stops. Monitored once every five minutes. Constant monitoring. Constant Monitoring. harddisk failure Generates messages when hardware problems are detected. Hardware Failover Notification Generates messages when a hardware failover occurs. Hardware failure alerts. Inappropriate word in IM Generates an alert whenever a user uses an inappropriate word or Monitor phrase in IM chat conversation Administration Login Failures 228 Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. or disconnected. Monitoring is constant. Power Supply status warnings Generates messages when server power switches to and from mains supply. Reverse proxy violations Monitors reverse proxy activity and generates warnings about connectivity issues. External Connection Failover Monitors the external connection(s) and alerts in the case of failover. Traffic Statistics Monitor These alerts are triggered whenever the traffic flow for the external interface exceeds certain thresholds. SmoothTunnel VPN Certificate Monitor Validates Advanced Firewall VPN certificates and issues warnings about potential problems. Firewall Notifications Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Output System Test Messages Catches test alerts generated for the purposes of testing the Advanced Firewall Output systems. or disconnected. Alert Description VPN Tunnel Status VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected. . L2TP VPN Tunnel Status L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected. SmoothRule Violations Monitors outbound access activity and generates warnings about suspicious behavior. Constant Monitoring. Monitored once every five minutes. Email Virus Monitor These alerts are triggered by detection of malware being relayed via SMTP or downloaded via POP3. i. Monitored once an hour. IM proxy monitored word Monitors instant messaging chats activity and generates warnings alert based on excessive use of inappropriate language. Alerts and Logging Alerts Available Alerts You access the alerts and their settings on the Logs and reports > Alerts > Alerts page. Constant Monitoring. System Service Monitoring This alert is triggered whenever a critical system service changes statues. UPS.Information.

Advanced Firewall queues alerts in two minute intervals. 3 For each alert you want to send. Select this option to send the alert(s) individually as soon as they are triggered. select the delivery method: SMS or Email. see Configuring Groups on page 254. Update Monitoring Monitors the system for new updates once an hour. 2 Configure the following settings: Setting Description Group name From the drop-down list. Monitored once an hour System Boot (Restart) Notification This alert is generated whenever the system is booted. To enable alerts: 1 Browse to the Logs and reports > Alerts > Alerts page.e. Constant Monitoring. 229 . Monitored once every five minutes. select a group of recipients and click Select. is turned on or restarted.Smoothwall Advanced Firewall Administrator’s Guide Alert Description Intrusion System Monitor These alerts are triggered by violations and notices generated by the intrusion system by suspicious network activity. For information on creating a group. Mail Queue Monitor Watches the email queue and informs if the number of messages therein exceeds a certain threshold. 4 Click Save. Enabling Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. Enable instantaneous alerts By default. and then distributes a merged notification of all alerts. i.

To adjust the settings: 1 Enter or choose appropriate settings for each of the following controls: Setting Description System load average Used to set a threshold for the average number of processes waiting to use the processor(s) over a five minute period. Alerts and Logging Alerts Looking up an Alert by Its Reference To view the content of an alert that has already been sent: 1 Enter the alert’s unique ID into the Alert ID field and click Show.0) may merit attention. Disk usage Used to set a disk space usage percentage threshold. A system operating at normal performance should record a load average of between 0. Configuring Alert Settings The following sections explain how to configure Advanced Firewall alert settings. averages greater than 3.Information. 230 . Configuring the System Resource Alert This alert is triggered whenever particular system resources exceed some predefined limitations. To access the alert settings: 1 Browse to the Logs and reports > Alerts > Alert settings page.0. Low amounts of free disk space can adversely affect system performance. The content of the alert will be displayed on a new page. that generates an alert once exceeded. While higher values are not uncommon. prolonged periods of high load (for example.0 and 1.

2 Click Save. Note: To exempt particular ports from monitoring. Monitor Detects suspicious inbound communication to local IP addresses.e. Alerts will Destination (local) be generated if a rapid series of inbound requests to the same local IP IP Addresses address is detected. To adjust the settings: 1 Enter or choose appropriate settings for each of the following controls: Setting Description Monitor Source (remote) IP addresses Detects suspicious inbound communication from remote IP addresses. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected. Click Save. Alerts will be generated if a rapid series of inbound requests from the same remote IP address is detected. Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels at which alerts are generated for each type of activity. prolonged periods of high memory usage may indicate that the system could benefit from additional memory. Advanced Firewall uses system memory aggressively to improve system performance.Smoothwall Advanced Firewall Administrator’s Guide 2 Setting Description System memory usage Used to set a system memory usage percentage threshold. However. Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of Advanced Firewall. Ports 2 Click Save. so higher than expected memory usage may not be a concern. To adjust the settings for this alert: 1 Select the components. i. Alerts will be Destination (local) generated if a rapid series of inbound requests to the same local port is detected. Configuring the Firewall Notifications Alert This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Configuring the System Service Alert This alert is triggered whenever a critical system service changes states. Monitor Source (remote) Ports Detects suspicious inbound communication from remote ports. that generates an alert once exceeded. enter a comma separated list of ports into the appropriate Ignore fields. starts or stops. Monitor Detects suspicious inbound communication to local ports. Configuring the Health Monitor This alert is triggered whenever a remote service fails to report activity. The health monitor provides the following checks and alerts: 231 . modules and services that should generate alerts when they start or stop.

Select Other to check that there is any response to connections on the associated port. 2 Enter keywords. 3 Select the protocol. Enabled on sent text 232 Select to generate the alert when an inappropriate word is used in a message sent by a local user.com/index. an alert is generated. Address Enter the domain address.Information. Port Enter the port number. No of tries Enter the number of times Advanced Firewall should check the address and not receive a response before generating an alert. . This is for detecting defacement. Other Services Checks that the specified port is open and offering a service. To configure the alert: 1 For the services. if applicable. Protocol From the drop-down list. select the protocol of the service you want to check for a response. Keywords Enter the keywords to be checked in the page. for example: example. Configuring the Inappropriate Word in IM Monitor Alert These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations. tries to retrieve the specified web page and check that it contains specific keywords. Setting Description Name Enter the domain name. port numbers and number of tries. 4 Click Add for each service. To configure the alert: 1 Configure the following settings: Setting Description Enabled on received text Select to generate the alert when an inappropriate word is used in a message received from a remote user. enter the URL. Setting Description Request URL Enter the URL of the web page you want retrieved and checked for keywords. IP address or name. Assuming the page has been retrieved and the keywords are missing. Alerts and Logging Alerts Web Servers (HTTP) When enabled. Setting Description IP Address Enter the IP address. DNS Name Resolution Checks that a domain has not expired or been hijacked.htm Note: Omit http:// when entering the URL. No of tries Enter the number of times Advanced Firewall should try to retrieve the page.

Monitor SMTP relay for viruses Select to alert when malware is detected when relaying via SMTP. Realtime The realtime pages provide access to realtime information about your system. Realtime System Information The System page is a realtime version of the system log viewer with some filtering options. For information on the Message censor threshold. 233 . Configuring the Email Virus Monitor Alert When configured. Censoring Message Content on page 109. Number of inappropriate messages in 15 mins Specify how many inappropriate messages to allow in a 15 minute period before generating an alert. Generate alert when users exceed the rate of inappropriate messages Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period. select the threshold above which an alert will be generated. see Chapter 8. To configure the alert(s): 1 2 Enable the following setting(s): Setting Description Monitor POP3 proxy for viruses Select to alert when malware is detected when downloading via POP3. To configure and enable the alert: 1 2 Configure the following settings: Setting Description Threshold number of messages Enter the number of messages above which the alert is triggered. Click Save to save the settings and enable the alert. Click Save to save the settings. From the drop-down list. these alerts are triggered when malware being relayed via SMTP or downloaded via POP3 are detected. Click Save to enable the alerts.Smoothwall Advanced Firewall Administrator’s Guide 2 Setting Description Generate alert for each message which exceeds the Message Censor severity threshold Select to generate an alert when the Message Censor threshold is exceeded. Configuring the Mail Queue Monitor Alert This alert is triggered the number of messages in the email queue exceeds a the specified threshold.

it is displayed in the Details area. All entries in the firewall log are from packets that have been blocked by Advanced Firewall. all information in the system log is displayed and updated automatically approximately every second. Realtime Firewall Information The Firewall page is a realtime version of the firewall log viewer with some filtering options. By default. If there is information on the component available in the system log. To display information on specific components: 1 From the Section drop-down list. select the component and click Update. Alerts and Logging Realtime To access the System page: 1 Browse to Logs and reports > Realtime > System page.Information. 234 .

Realtime IPsec Information The IPSec page is a realtime version of the IPSec log viewer with some filtering options. By default. To display information on specific sources and destinations: 1 Enter a complete or partial IP address and/or port number in the fields and click Update. information is displayed and updated automatically approximately every second. 235 .Smoothwall Advanced Firewall Administrator’s Guide To access the page: 1 Browse to Logs and reports > Realtime > Firewall page.

236 . To display information on a specific tunnel: 1 2 Configure the following settings: Setting Description Connection From the drop-down list.Information. Click Update. For more information on portals. Alerts and Logging Realtime To access the IPSec page: 1 Browse to Logs and reports > Realtime > IPSec page. By default. To access the portal page: 1 Browse to Logs and reports > Realtime > Portal page. all information in the log is displayed and updated automatically approximately every second. select the tunnel. Show only lines connecting Enter the text you are looking for. If there is information available in the system log. it is displayed in the Details area. Working with Portals on page 81. Realtime Portal Information The Portal page displays realtime information on users accessing Advanced Firewall portals. see Chapter 8.

Smoothwall Advanced Firewall Administrator’s Guide Realtime Instant Messaging The IM proxy page is a realtime version of the IM proxy log viewer with some filtering options. Note: As most IM clients communicate with a central server. If the text is found. the remote username is denoted in green. it is automatically displayed in the Details area. in the Show only lines containing field. local conversations are likely to be displayed twice as users are recognized as both local and remote. You can use the following settings to manage how the conversation is displayed. Realtime Traffic Graphs The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface. it is automatically displayed in the Details area. Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. If nothing has been said for more than a minute. enter the username or IP address. enter the text. The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses. the remote username will be displayed in the normal style font. 237 . The local username is denoted in blue. 3 To show lines containing specific text. To view IM conversations: 1 Browse to Logs and reports > Realtime > IM proxy page. If there is information available in the web filter log. 2 In the Username or IP address field.

238 . Alerts and Logging Logs To access the traffic graphs page: 1 Browse to Logs and reports > Realtime > Traffic graphs page. IPsec. Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth. intrusion system. Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth. Clicking on an interface displays its current traffic. firewall.Information. email and proxy information. The Interfaces area displays a list of the active interfaces on Advanced Firewall. Logs The log pages display system.

To access system logs: 1 Browse to the Logs and reports > Logs > System page. 239 .Smoothwall Advanced Firewall Administrator’s Guide System Logs The system logs contain simple logging and management information.

Microsoft (tm) Excel (. A single column is displayed containing the time of the event(s) and descriptive messages. System – Displays server log information. System – Simple system log messages. Day Used to select the day that log entries are displayed for. SSH – Log messages from the SSH system.xls) – The information is exported in Microsoft Excel format. Message censor – Displays information from the message censor logs. IM Proxy – Log messages from the instant messaging proxy service. 240 . UPS – Log messages from the UPS system. Tab Separated Value – The information is exported separated by tabs. Kernel – Log messages from the core Advanced Firewall operating system. shutdown. including startup. including service status messages. including service status messages and user authentication audit trail. Monitor – Displays monitoring system information including service status and alert/ report distribution audit trail. The following options are available: Authentication service– Log messages from the authentication system. Update transcript – Displays information on update history. To view specific information: 1 Select the filtering criteria using the Settings area and click Update. Raw Format – The information is exported without formatting. You will need an Excel-compatible spreadsheet application to view these reports. NTP – Log messages from the network time system. Export format Logs can be exported in the following formats: Comma Separated Values – The information is exported in comma separated text format.Information. reboot and service status messages. SystemD – Log messages from the system super server. Export all dates Exports the currently displayed log for all available dates. VIPRE engine – Displays information on the anti-malware engine. Alerts and Logging Logs The following filter criteria controls are available in the Settings area: Control Description Section Used to select which system log is displayed. Month Used to select the month that log entries are displayed for.

Smoothwall Advanced Firewall Administrator’s Guide Firewall Logs The firewall logs contain information on network traffic. The content of each section is discussed below. Compression Used to ghost repeated sequential log entries for improved log viewing. Filtering Firewall Logs The following filter criteria controls are available in the Settings area: Control Description Section Used to select which firewall log is displayed. To view the firewall logs: 1 Browse to the Logs and reports > Logs > Firewall page. Day Used to select the day that log entries are displayed for. Month Used to select the month that log entries are displayed for. 241 .

Raw Format – The information is exported without formatting. Export format Logs can be exported in the following formats: Comma Separated Values – The information is exported in comma separated text format. The list of possible sections that can be viewed are as follows: 242 Section Description Main All rejected data packets. Outgoing audit All traffic leaving from any interface – if Direct outgoing traffic is enabled on the Networking > Settings > Advanced page. Select a port and click Update to display log entries for that port. Forward audit All traffic passing through one interface to another – if Forwarded traffic is enabled on the Networking > Settings > Advanced page. Dst port This drop-down list is populated with a list of all destination ports contained in the firewall log. Outgoing stealth All data packets from the internal network zones that were logged but not rejected by an outbound access rule.xls) – The information is exported in Microsoft Excel format. Port forwards All data packets from the external network that were forwarded by a port forward rule – if port forward logging is enabled on the Networking > Firewall > Port forwarding page. Tab Separated Value – The information is exported separated by tabs. You will need an Excel-compatible spreadsheet application to view these reports. Select a port and click Update to display log entries for that port. Destination Enter an IP address and click Update to display log entries for that destination address.Information. Outgoing rejects All data packets from the internal network zones that were rejected by an outbound access rule. . Export all dates Exports the currently displayed log for all available dates. Incoming audit All traffic to all interfaces that is destined for the firewall – if Direct incoming traffic is enabled on the Networking > advanced page. Microsoft (tm) Excel (. Alerts and Logging Logs Control Description Source Enter an IP address and click Update to display log entries for that source address. Src port This drop-down list is populated with a list of all source ports contained in the firewall log.

IPSec Logs IPSec logs show IPSec VPN information. Blocking by IP on page 51 for more information. 2 Select one or more source or destination IPs. Out The interface at which the data packet left. 2 Select a particular source or destination IP in Source and Destination columns. Src Port The outbound port number used by the data packet. 3 Click Lookup. Destination The IP address of the data packet's intended destination. Blocking a Source IP The firewall log viewer can be used to add a selected source or destination IP to the IP block list. select the appropriate filtering criteria using the Settings area and click Update. The following columns are displayed: Column Description Time The time that the firewall event occurred. To block a source IP: 1 Navigate to the Logs and reports > Logs > Firewall page. A lookup is performed and the result displayed on the System > Diagnostics > whois page. 3 Click Add to IP block list. Dst port The inbound port number used by the data packet. The selected source and destination IPs will be automatically added to the IP block list which you can review on the Networking > Filtering > IP block page. Looking up a Source IP – whois The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool.Smoothwall Advanced Firewall Administrator’s Guide Viewing Firewall Logs To view firewall logs. See Chapter 5. Protocol The network protocol used by the data packet. In The interface at which the data packet arrived. 243 . Source The IP address of the data packet's sender. To use whois: 1 Navigate to the Logs and reports > Logs > Firewall page.

Information, Alerts and Logging
Logs
To access the logs:
1

On Logs and reports > Logs > IPSec.

2

Choose the tunnel you are interested in by using the Tunnel name control.

3

To view the logs for all of the tunnels at once, choose ALL as the tunnel name.

4

After making a change, click Update.

Exporting Logs
To export and download all log entries generated by the current settings, click Export.

Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.

Viewing and Sorting Log Entries
The following columns are displayed in the Web log region:
Column

Description

Time

The time the tunnel activity occurred.

Name

The name of the tunnel concerned.

Description Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its
Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous),
> (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title
hyperlink. Clicking the currently selected column reverses the sort direction.

244

Smoothwall Advanced Firewall
Administrator’s Guide

Email Logs
Email logs provide detailed, configurable and searchable information on email activity regarding time,
sender recipient, subject and spam status.

Configuring Email Logs
To access and configure email logs:
1

Navigate to the Logs and reports > Logs > Email page. Advanced Firewall displays the currently
configured log entries.

2

Click Advanced, the following options are displayed:

3

Option

Description

Sender

Select to display who sent the email message(s).

Recipient

Select to display who the email message(s) are for.

Subject

Select to display to display the subject line of the email message(s).

Spam

Select to display information on message(s) that have been classified as spam.

Select the options you want to display. Advanced Firewall updates what is displayed.

Monitoring Email Log Activity in Realtime
It is possible to monitor email log activity in realtime.
To monitor email log activity in realtime:
1

On the Logs and reports > Logs > Email page, click Realtime. Advanced Firewall displays the
currently configured log options in realtime in a table of log entries and in the email graph. The results
are updated automatically.

Tip:

To get a closer look at what is happening at a specific time, locate and click on that time in the graph.
Advanced Firewall stops the realtime display and shows what has been logged at the time you
clicked on.

2

To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data.

245

Information, Alerts and Logging
Logs

Searching for/Filtering Email Log Information
Advanced Firewall enables you to search for/filter information in a number of ways.
To search for/filter information:
1

On the Logs and reports > Logs > Email page, use one or more of the following methods:
Method

Description

Graph

On the graph, locate and click on the time you are interested in. Advanced Firewall
displays what was logged at the time you clicked on.

Time

Click in the date and time picker and specify when to search from. Click Apply.
Advanced Firewall displays the results from the time specified and two hours
forward.

Free search In the Sender, Recipient, Subject and/or Spam column(s), enter one or more search
term
terms. Advanced Firewall displays the search results.

Exporting Email Data
It is possible to export logged data in comma-separated (CSV) format.
To export data:
1

On the Logs and reports > Logs > Email page, configure or search for the data you want export.
For more information, see Configuring Email Logs on page 245 and Searching for/Filtering Email Log
Information on page 246 Information.

2

Click Export. Follow your browser’s prompts to save and export the data.

IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewall’s intrusion
detection system (IDS).
To view the IDS logs:
1

Navigate to the Logs and reports > Logs > IDS page.

Advanced Firewall displays the results.

246

Option

Select to:

Month

Specify which month you wish to view logs for.

Day

Specify which day you wish to view logs for.

Smoothwall Advanced Firewall
Administrator’s Guide

Option

Select to:

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

Exporting Logs
To export logs:
1

Filter the logs to show the information you want to export.

2

Select the export format and if you want to export all dates.

3

Click Export. To save the exported log, use the browser's File, Save As option.

IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewall’s intrusion
prevention system (IPS).
To view the IDS logs:
1

Navigate to the Logs and reports > Logs > IPS page.

Advanced Firewall displays the results.
Option

Select to:

Month

Specify which month you wish to view logs for.

Day

Specify which day you wish to view logs for.

247

Information, Alerts and Logging
Logs

Option

Select to:

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file
transfers.
To view the IM proxy logs:
1

Browse to Logs and reports > Logs > IM proxy page.

The following settings are available:
Setting

Description

Local user filter Enter the name of a local user whose logged conversations you want to view.

248

Smoothwall Advanced Firewall
Administrator’s Guide

Setting

Description

Enable local
user filter

Select to display conversations associated with the local user name entered.

Remote user
filter

Enter the name of a remote user whose logged conversations you want to view.

Enable remote
user filter

Select to display conversations associated with the remote user name entered.

Enable smilies

Select to display smilies in the conversation.

Enable links

Select to make links in the conversation clickable.

Search

Here you can enter a specific piece of text you want to search for.

Conversations

Enables you to browse conversations by instant messaging protocol, user ID
and date.

Web Proxy Logs
The proxy logs contain detailed information on all Internet access made via the web proxy service. It
is possible to filter the proxy logs using any combination of requesting source IP, and requested
resource type and domain.
To view the web proxy logs:
1

Browse to Logs and reports > Logs > Web proxy page.

Reverse Proxy Logs
The reverse proxy logs contain time, source IP and web site information about requests made using
the reverse proxy service.
To view reverse proxy logs:
1

Browse to the Logs and reports > Logs > Reverse proxy page.

249

Information, Alerts and Logging
Logs

Filtering Reverse Proxy Logs
The following filter criteria controls are available in the Settings area:
Control

Description

Month

Used to choose the month that proxy logs are displayed for.

Day

Used to choose the day that proxy logs are displayed for.

Year

Used to choose the year that proxy logs are displayed for.

Ignore filter

Used to enter a regular expression that excludes matching log entries.
The default value excludes common log entries for image, JavaScript, CSS
style and other file requests.

Enable ignore
filter

Select to enable the filter.

Domain filter

Used to display log entries recorded against a particular domain.
Matching will occur on the start of the domain part of the URL. For example,
www.abc will match www.abc.com and www.abc.net but not match
abc.net.
It is possible to include regular expressions within the filter – for example
(www.)?abc.com will match both abc.com and www.abc.com.

Enable domain
filter

Select to enable the filter.

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS requests
will contain a source address of 127.0.0.1. This is because OpenVPN has to proxy the HTTPS
traffic. Therefore, from Advanced Firewall’s point of view, the traffic is originating from localhost.

Viewing Reverse Proxy Logs
To view proxy logs:
1

250

Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are
displayed in the Proxy log area. The following columns are displayed:
Column

Description

Time

The time the web request was made.

Source IP

The source IP address the web request originated from.

Website

The URL of the requested web resource.

Smoothwall Advanced Firewall
Administrator’s Guide

User Portal Logs
The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
1

Browse to the Logs and reports > Logs > User portal page.

Advanced Firewall displays the information.

Configuring Log Settings
Advanced Firewall can send syslogs to an external syslog server, automatically delete log files when
disk space is low and set the maximum log file retention settings.
To configure logging settings:
1

Browse to the Logs and reports > Logs > Log settings page.

2

In the Syslog logging area, select the logging you require.

251

Information, Alerts and Logging
Configuring Log Settings
3

To enable and configure remote logging, configure the following settings:
Setting

Description

Remote syslog

To send logs to an external syslog server, select this setting.

Syslog server

If you have selected the Remote syslog option, enter the IP address of the
remote syslog server.

Default
retention

To set default log retention for all of the logs listed above, select one of the
following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.

4

Optionally, to set an individual retention period for specific logs, click Advanced and configure the
settings displayed.

5

Click Save. Advanced Firewall will log and retain the information you have specified and, if
configured, send logs to the remote syslog server.

Configuring Other Log Settings
Advanced Firewall enables you to configure retention settings for other logs.
To configure other logs:
1

252

Browse to the Logs and reports > Logs > Log settings page.

Smoothwall Advanced Firewall
Administrator’s Guide
2

In the Other logging area, configure the following settings:
Setting

Description

Default
retention

To set default log retention for all of the logs listed in the table below, select one
of the following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.

3

4

Click Advanced to see what other logs are available and to determine if you want to set individual
log retention settings.
Setting

Description

Default retention

From the drop-down menu, select the default retention period you want to
use for advanced logging settings. To set individual retention periods,
configure the settings below.

Intrusion
detection logs

From the drop-down menu, select how long you want to keep intrusion
detection logs.

Intrusion
prevention logs

From the drop-down menu, select how long you want to keep intrusion
prevention logs.

IM logs

From the drop-down menu, select how long you want to keep instant
messaging logs.

Click Save. Advanced Firewall will now retain the logs as you have specified.

Managing Automatic Deletion of Logs
Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk
space available.
To configure automatic log deletion:
1

Browse to the Logs and reports > Logs > Log settings page.

2

In the Automatic log deletion area, configure the settings:
Setting

Description

Delete old logs when free space
is low

Select to automatically delete logs when the specified
amount of disk space has been used.
253

Information, Alerts and Logging
Configuring Groups

3

Setting

Description

Amount of disk space to use for
logging

From the drop-down list, select the level at which Advanced
Firewall will delete logs.

Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been
used.

Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated
alerts and reports.

Creating Groups
To create a group of users:
1

Browse to the Logs and reports > Settings > Groups page.

2

Configure the following settings:
Setting

Description

Group name From the Group name drop-down list, select Empty and click Select.
Name
3

4
254

Enter a name for the group.

Click Save. Advanced Firewall creates the group. In the Add user area, configure the following
settings:
Setting

Description

Name

Enter a user's name.

SMS number

If required, enter the user’s SMS number details

Comment

Optionally, enter a description or comment.

Email address

If required, enter the user's email address.

Enable HTML Email

Select if you want emailed reports to be sent in HTML format.

Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.

Smoothwall Advanced Firewall
Administrator’s Guide
5

Click Add. The user's details will be added to the list of current users in the Current users region.

Editing a Group
To edit a group:
1

Browse to the Logs and reports > Settings > Groups page.

2

Choose the group that you wish to edit using the Group name drop-down list. Click Select to
display the group.

3

Make any changes to the group using the controls in the Add a user and Current users areas.

Deleting a Group
To delete a group:
1

Browse to the Logs and reports > Settings > Groups page.

2

Select the group to be deleted using the Group name drop-down list.

3

Click Delete.

Configuring Output Settings
Reports and alerts are distributed according to Advanced Firewall’s output settings. In order to send
reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-toSMS gateway systems.
To access output settings:
1

Browse to the Logs and reports > Settings > Output settings page.

255

A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. For example. In situations where truncation is enabled. each has its own definition of the format that an email should arrive in. The placeholder tags available are as follows: Placeholder Description %%ALERT%% The content of the alert message.From: %%HOSTNAME%% %%ALERT%% . if an email-to-SMS gateway requires emails to be sent to: <telephone number>@sampleSMS. About Placeholder Tags To allow easy configuration of message formats for different service providers. 256 . such additional (yet required) parameter text may force truncation of the actual alert.com If the content of the message should be entered in the email message body. the following examples would provide this: %%ALERT%% . %%--%% A special placeholder that indicates that all text following it should be truncated to 160 characters.From: %%HOSTNAME%% (%%DESCRIPTION%%) %%ALERT%% .. A wide variety of different email-to-SMS gateway services are available. %%EMAIL%% The recipient's email address. + is appended to the message to indicate that truncation has occurred. %%SMS%% The recipient SMS number. it extracts the information it needs and composes an SMS message which is then sent. it is necessary to configure Advanced Firewall so that it can format email messages in the format specified by your email-to-SMS gateway service provider. Advanced Firewall uses placeholder tags that can be incorporated into an email template. insert the special %%--%% placeholder at the start of the actual message content. Unfortunately.com. the following configuration would provide this: %%SMS%%@sampleSMS. While there are a few conventions.Information. Alerts and Logging Configuring Output Settings About Email to SMS Output Advanced Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway. usually the destination SMS number is placed in the email's subject line. When an email-to-SMS gateway receives an email.From: %%DESCRIPTION%% %%ALERT%% -%%HOSTNAME%% %%ALERT%% :%%DESCRIPTION%% (%%HOSTNAME%%) Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters. To compensate for this. all characters past position 155 are removed and the text: . %%HOSTNAME%% The hostname of the Advanced Firewall system (useful when using multiple firewall systems). This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option). Advanced Firewall can be configured to truncate messages – in this mode. %%DESCRIPTION%% The description of the Advanced Firewall system (useful when using multiple firewall systems). so that any truncation is only applied to the actual alert content. the following configuration would provide this: %%ALERT%% Networks with multiple Advanced Firewall systems may wish to include detail of the system that the alert was generated by.

use the %%--%% placeholder to indicate its start position. enter the username. configure the following settings: Setting Description SMTP server Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. 2 Click Send test. Password If using SMTP auth. Enable SMTP auth Select to use SMTP auth if required. 2 In the Email to SMS Output System area. configure the following settings: Setting Description SMTP server Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS. This will often contain the %%SMS%% placeholder as many email-toSMS gateways use the subject line for this purpose. enter the cell phone number of the person who is to receive the test. Output to Email To configure email settings: 1 Browse to Logs and reports > Settings > Output settings. 3 Click Save. Testing Email to SMS Output To test the output system: 1 In the Send test to: field. enter the password. 257 . Username If using SMTP auth. SMS to address Specify the formatting of the email's To: address according to the format required by your service provider. Truncate SMS messages to 160 characters Select if you want the content of SMS message body to be truncated to 160 characters or if your email-to-SMS gateway service provider instructs you to do so. SMS message body Enter additional parameters and the content of the alert message. SMS subject line Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider. 2 In the SMTP (Email) Output System area. This might also be an email address that is registered with your email-to-SMS gateway provider. This would typically be a valid email address reserved and frequently checked for IT administration purposes. This may be a regular email address. If the truncation is required from a particular point onwards.Smoothwall Advanced Firewall Administrator’s Guide Configuring Email to SMS Output To configure Advanced Firewall's SMS settings: 1 Browse to Logs and reports > Settings > Output settings. Sender's email address field Enter the sender's email address.

Click Save. 2 Click Generate test alert.Information. 258 . 3 Enable SMTP auth Select to use SMTP auth if required. enter the username. Password If using SMTP auth. Username If using SMTP auth. Generating a Test Alert To generate a test alert: 1 Configure Email to SMS output and/or SMTP (Email) output. Alerts and Logging Configuring Output Settings Setting Description Sender's email address Enter the sender's email address. enter the password. This might also be an email address that is registered with your email-to-SMS gateway provider. This would typically be a valid email address reserved and frequently checked for IT administration purposes.

modems. Smoothwall’s support systems are directly integrated with Advanced Firewall’s system update procedure. Installing Updates The following section explains how to install updates. download and install system updates. System updates may also include general product enhancements as part of Smoothwall’s commitment to continuous product improvement. Updates are typically released in response to evolving or theoretical security threats as they are discovered. Installing Updates Administrators should use Advanced Firewall's update facility whenever a new update is released. Note: If Advanced Firewall is configured for failover. Advanced Firewall must be connected to the Internet in order to discover. hardware failover and firmware settings • Producing diagnostic files • Managing certificates. 259 . allowing the Smoothwall support department to track the status of your system. see Installing Updates on a Failover System on page 260 for information on how to proceed.Chapter 13 Managing Your Advanced Firewall In this chapter: • Installing system and security updates • Managing module installations and product licensing • Creating and restoring archives • Scheduling automatic maintenance • Shutting down and restarting • Setting system preferences • Configuring administration and access settings • Managing tenants • Configuring UPS devices.

install the updates on the master and reboot. Clear download cache Click to clear any downloaded updates stored in the cache. Following theses steps ensures the correct application of all pending updates and also performs a failover test between the master and the failover unit. the failover unit is active and remains so until the master is live again. If the update requires a reboot. Once downloaded. the updates are listed in the Pending updates area. 2 Configure the following settings: 3 Setting/button Description Refresh update list Click to get a list of available updates. reboot the failover unit. Install updates Click to install all updates in the Pending updates area immediately Install at this time Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time. 5 When the failover unit is up and running again. 3 Go to the failover unit’s web interface and install the pending updates.Managing Your Advanced Firewall Installing Updates To install updates: 1 Navigate to the System > Maintenance > Updates page. 4 On the System > Maintenance > Shutdown page. Download updates Click to download all available updates. Installing Updates on a Failover System The following section explains how to install updates on a failover system. reboot the system on the System > Maintenance > Shutdown page. To install updates on a failover system: 1 On the master’s System > Maintenance > Updates page. 2 Wait until the updates have been transferred to the failover unit. the failover unit displays information on the update and prompts for a reboot. During master downtime. This should happen within 5 minutes. Once they have been installed. Any updates available will be listed in the Available updates area. 260 . download the updates.

Removing a Module To remove a module: 1 Navigate to the System > Maintenance > Modules page. locate the module and click Install. 261 . 2 In the Available modules area. Please read the module description carefully prior to installation.Smoothwall Advanced Firewall Administrator’s Guide Managing Modules Advanced Firewall's major system components are separated into individually installed modules. locate the module and click Remove. Smoothwall. To install a module: 1 Navigate to the System > Maintenance > Modules page. Note: Some module installations require a full reboot of Advanced Firewall. or removed in order to simplify administration and reduce the theoretical risk of. as yet un-discovered. 3 Reboot Advanced Firewall on the System > Maintenance > Shutdown page. For further information. Modules can be added to extend Advanced Firewall’s capabilities. please consult your Smoothwall partner or. 2 In the Installed modules area. Note: Modules must be registered against your Advanced Firewall serial number before they can be installed and used. if purchased directly. security threats. Note: The information displayed depends on the product series you are using. Advanced Firewall must be connected to the Internet in order to install modules.

Archives can be saved on removable media and used when restoring a Advanced Firewall system. Note: The Subscriptions area is used to manage blocklists used by add-on modules. License. Installing Licenses You can buy additional licenses from Smoothwall or an approved Smoothwall partner. Note: The information displayed depends on the Smoothwall product you are using. initiated via a secure request to Smoothwall licensing servers. Archives The Archives page is used to create and restore archives of system settings. 262 . For more information. This will cause the available license information to be updated via the Internet. installation and activation is an automated process. To install additional licenses: 1 Navigate to the System > Maintenance > Licenses page. and any new licenses will be installed. 2 Click Refresh license list.Managing Your Advanced Firewall Licenses Licenses Advanced Firewall contains information on licenses and subscriptions. see the documentation delivered with your Smoothwall add-on module. To view license information: 1 Navigate to the System > Maintenance > Licenses page. They can also be used to create clones of existing systems.

About Archive Profiles You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive. Comment Enter a description for the archive. Centrally Managing Smoothwall Systems on page 291 Logs 3 Select the log files you want to archive or select All to select and archive all logs. You can create and assign up to 20 profiles and generate their archives automatically. Select the components you want to archive or select All to select and archive all settings. Profile name Enter a name for the profile. see Chapter 14. Creating an Archive To create an archive: 1 Navigate to the System > Maintenance > Archives page. Automatic backup Select if you want to archive settings automatically. Note: You can automatically schedule the creation of backup archives. Centrally Managing Smoothwall Systems on page 291. Downloading an Archive To download an archive: 1 In the Archives area. Settings Settings available include general settings for Advanced Firewall and replicable settings which can be used in a Smoothwall system. For more information. 263 . 2 Configure the following settings: Settings Description Profile To create a new profile. Profiles are also used to store settings for Smoothwall replication systems. Indicates that the setting can be replicated. select Empty and click Select. Click Save and backup to create the archive. For more information on replication in Smoothwall systems. select the archive. 2 Click Download and save the archive to disk using the browser's Save as dialog box. see Chapter 14.Smoothwall Advanced Firewall Administrator’s Guide Tip: Log on to our support portal and read how to set up a Windows SSH server with keys in order to backup system settings. see Scheduling on page 264. from the drop-down list. To reuse or modify an existing profile. For further information. from the drop-down list select the profile and click Select.

To upload an archive: 1 In the Upload area. 3 Click Upload to upload the archive. Deleting Archives To delete an archive: 1 In the Archives area. modules and license upgrades using the scheduler. 264 . Scheduling You can configure Advanced Firewall to automatically discover and download system updates. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks. select the archive. 3 Select the components in the archive that you want to restore and click Restore. 2 Navigate to and select the archive. enter the name of the archive and click Browse. You can also use the scheduler to create and remotely archive automatic backups.Managing Your Advanced Firewall Scheduling Restoring an Archive To restore an archive: 1 In the Archives area. Uploading an Archive This is where you upload archived settings from previous versions of Advanced Firewall and Smoothwall modules so that they can be re-used in the current version(s). 2 Click Restore. The archive contents are displayed. select the archive and click Delete.

Download updates Select to download available updates. Hour From the drop-down list.Smoothwall Advanced Firewall Administrator’s Guide To create a schedule of tasks: 1 Navigate to the System > Maintenance > Scheduler page. 2 Configure the following settings: Setting Description Day From the drop-down list. select the day of the week that the tasks will be executed. Check for new modules Select to check for new modules. Check for license upgrades Select to discover and install license upgrades. select the time of day at which the tasks will be executed. Check for new updates Select to check for new system updates. 265 .

Over a month – Select this option to prune archives that are older than one month. Select one of the following options: Don’t prune – This is the default option. Over 3 months – Select this option to prune archives that are older than three months. 5 Click Add. 4 In the Remote archive destinations area. 3 Click Save. The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt all file transfers sent to the SSH server. To schedule remote archiving: 1 Navigate to the System > Maintenance > Scheduler page. for example: /home/mypath/ If left blank. enter the following information: Setting Description Name Enter a name to identify this destination. Server Set the IP address of the SSH server. The SSH server must be configured to accept connections from Advanced Firewall in this manner – it requires the public half of the key pair to be installed. Port Number Set the port number used to access the SSH server (normally port 22). 266 . Username Specify the user name of the account on the SSH server that will be used. Advanced Firewall uses the default home directory of the specified remote user. Over 2 months – Select this option to prune archives that are older than two months. Transfer Speed Limit Specify the maximum transfer speed when automatic archiving occurs. archives are never pruned.Managing Your Advanced Firewall Scheduling Setting Description Prune archives Options here enable you to schedule archive pruning if you require it. This control is useful for preventing the automatic remote archiving system adversely affecting the performance of other network traffic. 3 Install the public key on the remote SSH server – for details on how to do this. Remote path Enter the path where archives are to be stored on the remote SSH server. 2 In the Remote archive destinations area. Scheduling Remote Archiving Scheduled remote archiving uses SSH keys to allow Advanced Firewall to securely copy files to a remote SSH server without the need for passwords. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path. Comment Enter a description of the destination. 6 Repeat the steps above to make other destinations available. please consult the administrator's guide of the SSH server in use. click Export Public Backup Key.

enter the following information: Setting Description Day The day of the week to carry out the archive. From the drop-down menu. 9 Repeat the steps above to configure other archives for scheduled remote archive. Note: A local copy of the archive is also created and stored. Archive profile From the drop-down list. after a specified delay or at a predetermined time. Hour The hour of the day to carry out the archive. select the length of time. To shut down or reboot: 1 Browse to the System > Maintenance > Shutdown page. Editing Schedules To edit a schedule: 1 In the appropriate area. 267 . Shutting down and Rebooting Advanced Firewall can be shutdown or restarted immediately. select the destination or task and click Edit or Remove. select an archive profile as configured on the archives page. select a destination as configured in the Remote archive destinations area. Enabled Select to enable the archive. 2 Configure the following settings: Setting Description Immediately Select to shut down or reboot immediately. Comment Enter a description of the archive. Archive destination From the drop-down list. 8 Click Add. Delay action for Select to shut down or reboot after a specified length of time.Smoothwall Advanced Firewall Administrator’s Guide 7 In the Remote archival area.

Click Reboot to reboot at the specified time. or click Shutdown to shut down at the specified time Setting System Preferences The following sections discuss how to configure the user interface. information is displayed in the System Services area on the Dashboard. Click Save. depending on how you prefer working. From the drop-down menu. Configuring the User Interface Advanced Firewall can be customized in different ways. 3 268 System control page From the Report to show drop-down list. if any. To configure the user interface: 1 Browse to the System > Preferences > User interface page. time settings and a web proxy if your ISP requires you use one. 2 Configure the following settings: Setting Description Host information In the description field. .Managing Your Advanced Firewall Setting System Preferences 3 Setting Description At the following time Select to shut down or reboot at a specified length of time. select the report you want displayed on the Dashboard. enter a description to identify Advanced Firewall. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. select the hour and minute at which to shut down or reboot. Dashboard sections Determines what. It is also possible to alter the system's description. This will be displayed in the title bar of the browser window.

Time and date Network time retrieval To manually set the time and date: 1 Select Set and use the drop-down lists to set the time and date. 4 Choose one of the following network retrieval methods: Multiple random public servers – select to set the time as the average time retrieved from five random time servers Selected single public server –select from the drop-down list a public time server to use to set the time User defined single public or local server – Enter the address of a specific local or external time server. typically located on the Internet. To automatically retrieve time settings: 1 Select Enabled in the Network time retrieval area. 3 Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). 2 Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. allowing network wide synchronization of system clocks.Smoothwall Advanced Firewall Administrator’s Guide Setting Time Advanced Firewall's time zone. To set the time: 1 Navigate to the System > Preferences > Time page. select the appropriate time zone. 2 Configure the following settings: Setting Description Timezone From the drop-down list. 269 . Advanced Firewall can also act as an NTP server itself. date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server.

Password – Enter the password provided by your ISP. Note: The upstream proxy has no bearing on Advanced Firewall proxy services. and optionally. Configuring Registration Options Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use one. Upstream registration Port – Enter the port number to use. To configure registration options: 1 Navigate to the System > Preferences > Registration options page. 2 Select each internal network interface that the network time service should be available from. supply information about the status of your system and web filtering statistics. 270 . 2 Configure the following settings: Setting Description Server – Enter the hostname or IP address of the proxy server. Click Save. proxy Username – Enter the username provided by your ISP.Managing Your Advanced Firewall Setting System Preferences Setting Description Network Advanced Firewall can be used to synchronize the system clocks of local network time service hosts by providing a time service. interfaces To synchronize the network time service: 3 1 Enable network time retrieval.

271 . the following information is also sent: • Enabled status for optional services • The number of configured interfaces and whether they are internal or external • Authentication service settings and the LDAP server type • Guardian transparent mode and authentication service settings mode • Manufacturer name and product name – from dmidecode • Main board manufacturer and main board product name – from dmidecode. Note: After setting the hostname. Advanced Firewall will periodically send information about web filtering accuracy and a list of the domains of any web sites which could not be classified. Advanced Firewall registration sends information about licences. if enabled. Advanced Firewall starts to use the configured upstream proxy and. subscription and add-on modules to Smoothwall.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extended When registering. Provide filtering feedback information 3 When enabled. Configuring the Hostname You can configure Advanced Firewall’s hostname. A hostname should usually include the name of the domain that it is within. Note: No usernames. passwords or sensitive information are sent and any potentially identifying data is summarized before sending. To change the hostname: 1 Browse to the System > Preferences > Hostname page. information When this option is enabled and depending on which add-on modules are installed. send registration and/or filtering information. updating and/or installing add-on modules. Click Save. 2 Enter a new value in the Hostname field and click Save. a reboot is required before the HTTPS server will use the hostname in its Common Name field. Smoothwall will take every available measure to ensure data cannot be associated with your organization and no personal information is ever sent.

2 Select SSH and click Save. and not some third party web page. Referral Checking In order to ensure that configuration requests from the web interface originate from a logged in administrator. To permit access to the console via SSH: 1 Navigate to the System > Administration > Admin options page. you can enable remote access referral checking. Note: Terminal access to Advanced Firewall uses the non-standard port 222. Configuring Admin Access Options You can enable and disable remote access to Advanced Firewall’s console via Secure Shell (SSH) and configure remote access referral checking. When enabled. To access Advanced Firewall via remote SSH. administration requests are only processed if the referral URL contains the local IP address. external access and account settings. the local hostname. the following criteria must be met: • The host must be from a valid network zone • The host must be from a valid source IP • The SSH service must be enabled • Admin access must be set to enabled • The setup or root username and password must be known.Managing Your Advanced Firewall Configuring Administration and Access Settings Configuring Administration and Access Settings The following sections discuss administration. or the external IP address where applicable. 272 .

• HTTP admin – Access to the web-based interface on port 81. select the interface that access is permitted from. networks and host systems can be used to administer Advanced Firewall. see Configuring Admin Access Options on page 272.Smoothwall Advanced Firewall Administrator’s Guide If the referral is not from a Advanced Firewall page. This default rule allows administrators to access any of the following admin services: • SSH admin – Access to the system console using port 222. the request is ignored and reported in the general Smoothwall log file. 273 . To enable external access: 1 Browse to the System > Administration > External access page. To enable referral checking: 1 Navigate to the System > Administration > Admin access page. The default external access rule allows administrators to access and configure Advanced Firewall from any source IP that can route to the system's first (default) network interface. 2 Select Allow admin access only from valid referral URLs in the Remote Access area. services. Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a Dynamic DNS address. Requires the SSH access to be enabled. the referral URL check must be disabled. 2 Configure the following settings: Setting Description Interface From the drop-down list. Configuring External Access External access rules are used to determine which interfaces. 3 Click Save. To remotely manage an Advanced Firewall system via a DNS or a Dynamic DNS address. • HTTPS admin – Access to the web-based interface on port 441.

255.0/255.168.10.1192.50. ranges of hosts or subnet ranges of hosts that are permitted to use admin access.168.0 or 192. To manage accounts: 1 Navigate to the System > Administration > Administrative users page. Password Enter a password. The access rule is added to the Current rules table. Enabled Select to activate access. enter an IP address range.0/24. it provides access to the default internal network. Administrative User Settings Advanced Firewall supports different types of administrative accounts. 2 Configure the following settings: 274 Setting Description Username Enter a name for the user account. for example. 192. enter a subnet range.255. or network Specify individual hosts. Comment Enter a description for the access rule. For a range of hosts. Editing and Removing External Access Rules To edit or remove access rules.Managing Your Advanced Firewall Configuring Administration and Access Settings Setting Description Source IP. Passwords are case sensitive and must be at least six characters long. Note: Do not remove the default external access rule. for example. Click Add. If no value is entered. 3 Service Select the permitted access method.168.10.10. . use Edit and Removes in the Current rules area. 192. any source IP can access the system. For a particular subnet of hosts.168.10.

Each tenant has its own directory server(s) and users. Configuring Directories on page 195. Realtime logs – Permission to view realtime logs. Managing Outbound Traffic and Services on page 72. Log – Permission to view the system log files. Operator – Permission to shutdown or reboot the system. you must have the correct Advanced Firewall license type. For information on tenants and directories. Changing a User's Password To set or edit a user's password: 1 Browse to the System > Administration Administrative users page. Reporting system – Permission to access the reporting system. 3 Enter and confirm the new password in the Password and Again fields. connections coming from addresses not associated with a tenant will be unable to authenticate. see Chapter 7. 4 Click Add to activate the changes. Managing Tenants Note: To add tenants. see Chapter 10.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Again Re-enter the password to confirm it. 275 . Advanced Firewall’s multi-tenancy functionality enables you to define client-organizations – known as tenants – which can access and use Advanced Firewall services. For more information. 3 Click Add to add the account. Rule editor user – Permission to edit networking outgoing policies ports and external services. SMTP quarantine – Permission to access and manage the SMTP quarantine pages. Adding a Tenant Note: When you add tenants to Advanced Firewall. Contact your Smoothwall representative for more information. Temp ban – Permission to access and change temporary ban status. 2 In the Current users area. select the user and click Edit. Administrator – Full permission to access and configure Advanced Firewall. Portal User – Permission to access the user portal pages. Permissions Select the account permissions you want to apply to the account. Multi-tenancy enables Advanced Firewall to apply network permissions to users whose usernames are not unique.

Advanced Firewall applies the changes. subnet or range. Note: An address can only be used by a single tenant. 2 Click Add new tenant. make the changes you require.Managing Your Advanced Firewall Hardware To add a tenant: 1 Browse to the System > Administration > Tenants page. point to the tenant and click Edit. point to the tenant and click Delete. 4 Click Add. Deleting a Tenant To delete a tenant: 1 On the System > Administration > Tenants page. Hardware The following sections discuss how to configure UPS devices. 2 In the Edit tenant dialog box. 5 Repeat the steps above for any other tenants you want to add. IP address range Enter the tenant’s IP address. configure the following settings: Setting Description Name Enter a name to identify the tenant. click Delete. modems and firmware settings. Advanced Firewall deletes the tenant. 3 In the Add new tenant dialog box. Advanced Firewall adds the tenant. Editing a Tenant To edit a tenant: 1 On the System > Administration > Tenants page. 2 When prompted. Tenant addresses cannot overlap. See Adding a Tenant on page 275 for information on the settings available. 276 . 3 Click Save changes.

After a set time of being Select to specify how long to wait before shutting down Advanced on battery Firewall when on running on UPS battery.Smoothwall Advanced Firewall Administrator’s Guide Managing UPS Devices Uninterruptible Power Supply (UPS) device(s) physically connected to Advanced Firewall provide emergency power to Advanced Firewall if the mains power supply fails. UPS Connection Prerequisites Before you start configuring Advanced Firewall to use a UPS device: 1 Follow the documentation delivered with your UPS device to prepare it for use. reboot immediately. 2 Select when Advanced Firewall should shut down: Setting Description Never Select to never shut down Advanced Firewall. 3 Click Save changes. Delay before shut down – Enter how long in minutes to wait before shutting down Advanced Firewall. Configuring the Global Shut Down Condition The global shut down condition determines when. 3 On the System > Maintenance > Shutdown page. Advanced Firewall applies the shut down condition. When all remaining UPS Select to shut down Advanced Firewall when all currently connected are at low battery UPS devices are at low battery levels. To configure the global shut down condition: 1 Browse to the System > Hardware > UPS page. you are ready to start configuring the UPS device. Once rebooted. if ever. a Advanced Firewall connected to a UPS device should shut down. Configuring UPS Devices UPS devices can be configured to use the following types of connections: 277 . 2 Connect the UPS device to Advanced Firewall.

click Add new UPS. Advanced Firewall also makes information about UPS devices available on the System > Central management > Overview page. in the Connected UPS area. in the Connected UPS area. select the port the USP device uses.Managing Your Advanced Firewall Hardware • USB – connects to Advanced Firewall via a USB connection. Configuring a UPS Device with a Serial Connection To configure a serial connection: 1 2 On the System > Hardware > UPS page. UPS connection Select USB. configure the following settings: Setting Description Name Enter a name for the UPS device. Manufacturer From the drop-down lists. . see Configuring a UPS Device with a Serial Connection on page 278 • SNMP – connects to Advanced Firewall via an SNMP connection. Configuring a UPS Device with an SNMP Connection To configure an SNMP connection: 1 278 On the System > Hardware > UPS page. UPS connection Select SNMP. In the Add new UPS dialog box. in the Connected UPS area. see Chapter 14. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. for more information. Accessing the Node Details Page on page 298. see Configuring a UPS Device with a USB Connection on page 278 • Serial – connects to Advanced Firewall via a serial connection. Port From the drop-down list. SNMP community Enter the UPS device’s SNMP community string. Configuring a UPS Device with a USB Connection To configure a USB connection: 1 2 On the System > Hardware > UPS page. see Chapter 12. It is also possible to configure an alert which is triggered when power switches to and from mains supply. UPS connection Select Serial. configure the following settings: Setting Description Name Enter a name for the UPS device. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. Enabling Alerts on page 229. IP address Enter the IP address that the UPS device will use. click Add new UPS. see Configuring a UPS Device with an SNMP Connection on page 278 • SNMP – connects to Advanced Firewall via an HTTP connection. For more information. see Configuring a UPS Device with an HTTP Connection on page 279. For more information. In the Add new UPS dialog box. for more information. for more information. click Add new UPS. Click Add. select the UPS device’s manufacturer and model. In the Add new UPS dialog box. Click Add. configure the following settings: Setting Description Name Enter a name for the UPS device. for more information.

Click Add. Password If required. See Configuring UPS Devices on page 277 for information on the settings available. enter the user name to be used to connect the device to Advanced Firewall. In the Add new UPS dialog box. click Add new UPS. IP address Enter the IP address that the UPS device will use. 2 In the Edit UPS dialog box. make the changes required. the failover Advanced Firewall runs in a standby mode monitoring the master Advanced Firewall for a heartbeat communication. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. point to the device you want to edit and click Edit.smoothwall. Heartbeat is the name of a suite of 279 .net for more information. in the event of hardware failure. click Delete to confirm that you want to delete the device. Managing Hardware Failover Advanced Firewall’s hardware failover enables you to configure a failover Advanced Firewall system which. Advanced Firewall changes the settings and lists the device in the Connected UPS area. Confirm If required. in the Connected UPS area. Deleting UPS Devices To delete a UPS device: 1 On the System > Hardware > UPS page. re-enter the password to be used to connect the device to Advanced Firewall. Note: Hardware failover is not included as standard with Advanced Firewall – it must be licensed separately.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Add. 3 Click Save changes. configure the following settings: Setting Description Name Enter a name for the UPS device. Advanced Firewall deletes the device and removes it from the list in the Connected UPS area. provides all the protection and services your master Advanced Firewall usually provides. Contact an authorized Smoothwall partner or visit www. 2 When prompted. Configuring a UPS Device with an HTTP Connection To configure an HTTP connection: 1 2 On the System > Hardware > UPS page. UPS connection Select HTTP. How does it work? When configured and enabled. Editing UPS Devices To edit a UPS device’s settings: 1 On the System > Hardware > UPS page. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. Username If required. point to the device you want to delete and click Delete. enter the password to be used to connect the device to Advanced Firewall.

assuming that autofailback is enabled. installing Advanced Firewall and deploying the failover archive.Managing Your Advanced Firewall Managing Hardware Failover services and configuration options that enable two identical Advanced Firewall systems to be configured to provide hardware failover. and above all the same type and number of network interface cards • The failover unit must be plugged into all the switches the master is plugged into • SSH must be enabled on the master. RAM. Since part of this information includes the IP addresses for each of the master interfaces. This stage is designed principally to cope with intermittent failures within the communication system. It remains in this mode for the length of dead time you have configured. such a heavily loaded master. Configuring Hardware Failover Configuring hardware failover entails: • On the master. 280 . the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master. the failover unit hands over control to the master. see Configuring Admin Access Options on page 272 for more information. be it minutes. Prerequisites The following must be in place for hardware failover to work: • A private network consisting of only two Advanced Firewall systems connected via their heartbeat interfaces preferably using a crossover cable • The master and failover unit should both use the same types of hard disk drives. de-activates its configuration and services and returns to standby mode. The master periodically copies settings to the failover unit to ensure that the failover unit can provide a fully configured service if the master fails. days or weeks later. When the master starts to respond again. the failover unit will essentially provide a drop-in replacement and the transition will generally go unnoticed. Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few minutes behind configuration changes made to the master. it stops responding to the failover unit’s heartbeat and the failover unit therefore determines that the primary system is no longer available. If the master fails. This will occur somewhere between 0 seconds and the keep-alive time specified when configuring failover. Once the dead time has expired. specifying a network interface for the heartbeat and configuring and generating a failover archive to deploy on the failover unit • On the failover unit. The failover unit then enters a more responsive mode where it monitors the master for its revival.

we strongly recommend that this connection be a crossover cable. 281 . Use as Select Heartbeat interface. Note: The master and failover unit systems are connected via their heartbeat interfaces on a private network.Smoothwall Advanced Firewall Administrator’s Guide Configuring the Master To configure the master Advanced Firewall: 1 Navigate to the Networking > Interfaces > Interfaces page. 3 In the Edit interface dialog box. For these reasons. Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail. It is critically important that this network is not congested and suffers as little latency as is possible. configure the following settings: Setting Description Name Accept the default name or enter a custom name. 2 Point to the interface to be used by the hardware failover master and failover unit systems to communicate with each other and click Edit.

In non-congested networks. Dead time Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. . 7 282 Click Save. Note: We recommend that this network be private and only used by the master and failover units. Note: We recommend that this network be private and only used by the master and failover units. Keep-alive internal Set the interval after which the master and failover unit communicate to ensure the master is still working. Slave heartbeat IP Enter an IP address for the failover unit. Netmask Enter a netmask. enter a spoof MAC if required. The default is 1 second. we recommend a very short interval which is undetectable in terms of system performance. Master heartbeat IP Enter an IP address for the master. 4 Click Save changes. For more information about whether MAC spoof settings are required. 6 Configure the following settings: Setting Description Enabled Select to enable failover. consult the documentation supplied by your ISP and modem supplier. Auto failback Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. 5 Navigate to the System > Hardware > Failover page. deactivate its configuration and services and return to standby status. enter the maximum transmission unit (MTU) value required in your environment. The failover unit will hand over control to the master.Managing Your Advanced Firewall Managing Hardware Failover Setting Description Spoof MAC Optionally. Note: We recommend that this network be private and only used by the master and failover units. MTU Optionally.

See the Advanced Firewall Installation and Setup Guide for more information. select Immediately and click Reboot. Administering Failover There are no noticeable differences between administering Advanced Firewall used as a master and one which is not used as a master. 50 M bytes is an average size. 2 Select the type of media the archive is stored on and press Enter. SeeConfiguring the Master on page 281. Generating a Failover Archive A failover archive contains the settings required to configure the failover unit to provide hardware failover for Advanced Firewall. The next step is to use the archive to implement the failover settings on the failover unit. On the following screen: 1 Select Yes and press Enter. You are prompted to insert the media. from time to time. To generate a failover archive: 1 Navigate to the System > Hardware > Failover page and configure and save the failover settings. 3 Save the archive on some suitable removable media accessible by the failover unit. The failover unit will reboot and automatically enter standby mode. Advanced Firewall generates the archive and prompts you to specify where to save it. Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. The next step is to generate the failover archive to deploy on the failover unit. you will need to install updates. 5 When prompted. Note: For information on installing updates in failover units. see Installing Updates on a Failover System on page 260. 3 Insert the media and press Enter. Wait a couple of minutes for the system to reboot and then log in again. 4 Select the archive and press Enter. However.Smoothwall Advanced Firewall Administrator’s Guide 8 Browse to the System > Maintenance > Shutdown page. press Enter to reboot the failover unit. There should be little or no need to administer the failover unit on a day to day basis. The failover settings are installed. Implementing Failover Settings on the Failover Unit Implementing failover on the failover unit entails running the setup program and using the restore options to apply the settings. 2 Click Generate slave setup archive. 283 . To implement failover on the failover unit: 1 Install Advanced Firewall using the quick install option.

284 .142:441/cgi-bin/admin/updates. in the example above: 192. the address would be: https://192.168. To test failover: 1 On the master.168.Managing Your Advanced Firewall Configuring Modems Updates are not automatically applied in order to ensure that the failover unit can provide a known good system to failover to in case of any issues resulting from updates to the master. but the master system has become available again after corrective action has been taken you can manually failback to the master. whether services and protection are being supplied by the master or the failover unit. go to the System > Hardware > Failover page and click Enter standby mode.168. rebooting the master will also return it to active service and force the failover unit into standby mode. as when in standby mode the failover unit has no effective presence on any of the local or remote networks.72. when the failover unit is in active operation. you can force the master to enter standby mode. to access the master's Update page the address would usually look as follows: https://192. Operations will be transferred to the master. Note: If Auto failback is enabled. Configuring Modems Advanced Firewall can store up to five modem profiles. go to the System > Hardware > Failover page and click Enter standby mode to restore the system to normal operation.72. For example. When you need to access the failover unit directly you can do so using a variation of the address for master. 2 To restore operations to the master. Testing Failover In order to test failover. After a short period of time the failover unit will take over from the master. The address used. To manually failback: 1 On the failover unit. is the address of the master.cgi To access the settings on the failover unit. the active Advanced Firewall system is always accessed via the usual address. go to theSystem > Hardware > FailoverFailover page and click Enter standby mode. Accessing the Failover Unit With failover implemented.72.cgi All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441. Manual Failback In configurations where Auto failback is not enabled.142.142:440/cgi-bin/admin/updates. on the active system.

Tone – Select if your telephone company supports tone dialing. Speaker on Enter the commands required to turn the speaker on. 2 Configure the following settings: Setting Description Profiles From the drop-down list. Connect timeout Enter the amount of time in seconds to allow the modem to attempt to connect. select Empty to create a modem profile. 3 Init Enter the commands required to initialize the modem. Tone dial Enter the commands required to turn tone dialing on. Interface Select the serial port that the modem is connected to. Profile name Enter a name of the modem profile. Modem speaker on Select to enable audio output during the modem dialing process. Pulse dial Enter the commands required to turn pulse dialing on. Hangup Enter the commands required to end a connection. Speaker off Enter the commands required to turn the speaker off.Smoothwall Advanced Firewall Administrator’s Guide To configure a modem profile: 1 Browse to the System > Hardware > Modem page. Pulse – Select if your telephone company supports pulse dialing. A standard 56K modem is rate usually connected at the default 115200 rate. Computer to modem Select the connection speed of the modem. Click Save to save your settings and create the profile. Dialing mode Select the dialing mode. 285 . if the modem has a speaker.

gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems. 286 .o file to the system. 3 Use the browser's Open dialog to find and open the mgmt. Note: Once this process has been completed. DNS resolution is checked. 2 Click Browse adjacent to Upload file field.o firmware update file. Components installed on your Advanced Firewall add tests to this page which. Alcatel SpeedTouch USB ADSL modems will not work. diagnostics. when run. 4 Click Upload to upload the firmware update. Configuration Tests The Configuration tests page is used to ensure that your current Advanced Firewall settings are not likely to cause problems. Note: The 330 version of this modem also requires its own firmware update to function correctly. IP tools and traffic analysis. the system must be rebooted before the new firmware is activated.Managing Your Advanced Firewall Installing and Uploading Firmware Installing and Uploading Firmware Advanced Firewall can upload the third-party mgmt. highlight problem areas. For example. To upload and install the Alcatel firmware: 1 Navigate to the System > Hardware > Firmware upload page. Diagnostics The following sections discuss configuration tests. Without this file.

When prompted. save the results in a suitable location for review. Generating Diagnostics Advanced Firewall provides diagnostics facilities. 2 Configure the following settings: 3 Setting Description System Select All to include all system components. typically used to provide Smoothwall support engineers with complete system configuration information to aid problem solving. To generate a diagnostics file: 1 Navigate to the System > Diagnostics > Diagnostics page. or individually select the components you want to include in the diagnostics results. 2 Click Perform tests. or individually select the modules you want to include in the diagnostics results. Modules Select All to include all modules. The results are displayed in the Details area. 287 . Click Generate.Smoothwall Advanced Firewall Administrator’s Guide To test your configuration: 1 Navigate to the System > Diagnostics > Configuration tests page.

Use it to prove that Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet. • Traceroute Traceroute is used to reveal the routing path to Internet hosts. The result of the ping command is displayed. 2 Select the Traceroute option from the Tool drop-down list. A greater number of hops indicates a longer (and therefore slower) connection. more convenient to run them from this page. 2 Select the Ping option from the Tool drop-down list. 288 . A major use for this is to determine the source of requests appearing in the firewall or Detection System logs.Managing Your Advanced Firewall Diagnostics IP Tools The IP tools page is used to check connectivity. Using Ping To use Ping 1 Navigate to the System > Diagnostics > IP tools page. The result of the traceroute command is displayed. 4 Click Run. Whois Whois is used to display ownership information for an IP address or domain name. 3 Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. There are two IP Tools: • Ping Ping establishes that basic connectivity to a specified host can be made. shown as a series of hops from one system to another. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Advanced Firewall system. Using Traceroute To use Traceroute: 1 Navigate to the System > Diagnostics > IP tools page. It is of course. 4 Click Run. 3 Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field. both from Advanced Firewall to computers on its local networks and to hosts located externally on the Internet. This can assist in the identification of malicious hosts.

To analyze traffic: 1 Navigate to the System > Diagnostics > Traffic analysis page. 289 . The output of Whois is as it would be if it were run directly by the root user from the console of the Advanced Firewall system. 2 Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field. including pictures sent or received on web requests. select the interface. After the time specified has elapsed. the traffic a breakdown of what ports and services have been used is presented. 3 From the Time to run for drop-down list. It is possible to view a complete transcript of TCP and UDP sessions. 2 From the Interface drop-down list. select how long to analyze the traffic.Smoothwall Advanced Firewall Administrator’s Guide To use Whois: 1 Navigate to the System > Diagnostics > Whois page. as well as specific information on connections made. Analyzing Network Traffic The Traffic analysis page displays detailed information on what traffic is currently on the network. 4 Click Generate. 3 Click Run.

Advanced Firewall removes the certificate(s). navigate to the certificate and select it. CA certificate in BIN 3 Export the certificate in a binary certificate format. select the certificate(s) and click Delete.Managing Your Advanced Firewall Managing CA Certificates Managing CA Certificates When Advanced Firewall’s instant messenger proxy and/or Guardian are configured to intercept SSL traffic. select one of the following options: Option Description CA certificate in PEM Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. Advanced Firewall comes with certificates issued by well-known and trusted CAs. 2 Click Browse. Deleting and Restoring Certificates You can remove built-in certificates from the list on the System > Certificates > Certificate authorities page. Reviewing CA Certificates By default. 2 From the Export format drop-down list. 3 Click the import option. Importing CA Certificates To import CA certificates: 1 Navigate to the System > Certificates > Certificate authorities page and locate the Import Certificate Authority certificate area.e. certificates must be validated. To delete certificates: 1 290 On the System > Certificates > Certificate authorities page. Advanced Firewall validates the certificates by checking them against the list of installed Certificate Authority (CA) certificates on the System > Certificates > Certificate authorities page. select the certificate. click on its name. Exporting CA Certificates To export certificates: 1 On the System > Certificates > Certificate authorities page. The following sections describe how you can import new CA certificates. Click Export and save the certificate on suitable medium. export existing CA certificates and edit the list to display a subset or all of the CA certificates available. Advanced Firewall imports the certificate and displays it at the bottom of the list. Advanced Firewall displays the certificates available. Advanced Firewall displays it. 2 To review a specific certificate. included in Advanced Firewall by default. You can also restore them to the list if required. It also displays which certificates are valid and which are built-in. To review the certificates: 1 Browse to the System > Certificates > Certificate authorities page. . 3 Click your browser’s Back button to return to Advanced Firewall. i.

291 . see Rebooting Nodes on page 299 • Disabling nodes as required. for more information. see Chapter 13. Pre-requirements Before you start to set up a centrally managed Smoothwall system: • Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. Configuring and managing a Smoothwall system entails: • Configuring a parent and the nodes in the system. Installing Updates on page 259 • Check that you have administrator access to all of the computers you want to include in the system • Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system. for more information. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the parent node. for more information. see Monitoring Node Status on page 297 • Applying updates. see Disabling Nodes on page 299. About Centrally Managing Smoothwall Systems Advanced Firewall’s central management enables you to monitor and manage nodes in a Smoothwall system. for more information. see Scheduling and Applying Updates to One or More Nodes on page 299 • Rebooting nodes as required. for more information. see Setting up a Centrally Managed Smoothwall System on page 292 • Actively monitoring the nodes in the system.Chapter 14 Centrally Managing Smoothwall Systems In this chapter: • About centrally managing Smoothwall systems • Pre-requirements • Setting up a Smoothwall system • Managing nodes in a system. For more information.

installing the central management key and enabling SSH on child nodes • Adding child nodes to the system. 4 292 Click Save. This instance of Advanced Firewall becomes the parent node and can be used to centrally manage the Smoothwall system. 3 Configure the following settings: Setting Description Local node options Parent node – Select this option to enable central management and configure this instance of Advanced Firewall as the parent node in the Smoothwall system. Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. . 2 Browse to the System > Central management > Local node settings page. To configure the parent node: 1 Log in to the instance of Advanced Firewall you want to function as the parent node.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails: • Configuring the parent node in the system • Configuring child nodes settings.

2 Configure the following settings: Setting Description Local node options Parent node – Check that this option is selected so that you can generate a central management key for installation on child nodes. Click Save to save this setting. Note: If you are reconfiguring a child node to be the child of a new parent. 5 Repeat step 3 and step 4 above on any other machines you want to use as child nodes. Click Save to upload the key to the child node. Manage central management keys 3 Central management key – Click Download to download and save the central management key in a secure. select SSH and click Save. accessible location for distribution to the child nodes in the system. 4 On the System > Administration > Admin options page. To configure a child node: 1 On the system’s parent node. browse to and select the key. browse to the System > Central management > Local node settings page. See Adding Child Nodes to the System on page 294 for more information. On the Smoothwall system you want to add as a child node. 293 . When finished.Smoothwall Advanced Firewall Administrator’s Guide Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. reboot the child node to apply the changes. Manage central management keys Upload central management key – Using your browser’s controls. browse to the System > Central management > Local node settings page and configure the following settings: Setting Description Local node options Child node – Select this option to configure this machine as a child node in the system. you are ready to add them the system.

2 Click Add node and configure the following settings: Setting Description Node details Node name – Enter a unique name to identify the node. browse to the System > Central management > Child nodes page. 294 . To add child nodes manually: 1 On the parent node. Unicode is not supported. underscores and full stops. Node names may only consist of letters.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes. you are ready to add them to the system. see Importing Nodes into the System on page 295. enter a comment describing the child node. numbers. You can add nodes: • Manually by adding each node separately. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. Comment – Optionally. spaces. for more information. see Manually Adding Child Nodes on page 294 • By importing node information from a CSV file. IP/hostname – Enter the IP address or hostname of the child node.

This field is required. Allow parent to monitor status – Select to enable central monitoring for the child node. the child node in the system will be overwritten. Note: If the name is the same as that of a child node already in the system. When enabled and quotas have been used in a web filtering policy. you can import it directly into the parent node. underscores and full stops. About the CSV File Each line in the CSV file must contain 8 fields.Monitorstatus. see Monitoring Node Status on page 297.Centralresources Replicationprofile. A node name may consist of letters. 295 . When prompted. The replication profile enables the sharing of system settings between nodes. For more information. For information on configuring a replication profile. Enabled – Enter: yes. The parent node lists the child nodes and displays their current status. off. Note: Do not select this option if you want to access the child node’s logs on the child node itself. numbers. or 0. Note: Currently. Importing Nodes into the System If child node information is available in a comma separated format (CSV) file. 4 Repeat step 2 and step 3 for each node you want to add to the system.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Node settings Replication profile – From the drop-down list. spaces. Note: Do not enable this option if you want to access the child node’s logs on the child node itself. on.Enabled. Unicode is not supported. This field is required. browse to the System > Central management > Overview page. review the node details and then click Save to add the node. 5 When you have added all of the nodes.IP/hostname. Disabled – Enter: no. Central logging – Select to enable central logging for the child node. see Chapter 13. Central logging Determines if central logging is enabled or disabled. the parent ensures that users cannot access content for longer than allowed by using different child nodes. or 1.Comment The possible values for the fields are as follows: Field Value Name The node name. Allow parent to manage resources – Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. 3 Select Enable node and click Confirm. Creating an Archive on page 263. this option only applies to Advanced Firewall with Guardian3 installed. IP/hostname The IP or hostname of the node. This field is required. select the replication profile to be deployed on the child node.Centrallogging. The fields must be separated by commas and ordered as follows: Name.

or 0. browse to the System > Central management > Child nodes page. see Chapter 13. browse to the file and select it. 296 . or 1. review the changes and then click Save to save and implement the changes. This field is optional and may be empty. 3 Click Confirm. Editing Child Node Settings When required. Note: Currently. locate the node you want to edit and click Edit node.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Field Value Monitor status Determines if central monitoring is enabled or disabled. spaces. or 0. on. 2 Make the changes required. Replication profile The name of the replication profile used on the node. 2 Click Import CSV. This field is optional. see Manually Adding Child Nodes on page 294 for full information on the settings. Enabled – Enter: yes. Importing Node Information The following steps explain how to import node information from a CSV file. on. see Manually Adding Child Nodes on page 294. Unicode is not supported. or 0. or 1. see About the CSV File on page 295. To edit a child node’s settings: 1 Browse to the System > Central management > Child nodes page. Enabled – Enter: yes. it is possible to edit child node settings. this option only applies to Advanced Firewall with Guardian3 installed. About Archive Profiles on page 263. Comment A comment. off. For more information on CSV files. underscores and full stops. This field is required. For full information on what the settings do. Note: Importing settings from a CSV file will overwrite existing nodes with the same name. 4 Click Confirm to import the information in the file. numbers. This field is required. Enabled Determines if the node settings are enabled or disabled. Central resources Determines if resources are managed by the parent. Disabled – Enter: no. It may consist of letters. The parent node imports the node information and displays it. For more information. Click Import to import the contents of the file. Disabled – Enter: no. Enabled – Enter: yes. 3 The parent node displays the contents of the file and notifies you of any errors in the file. Disabled – Enter: no. on. or 1. off. off. To import node information from a CSV file: 1 On the parent node. This field is required.

The parent node displays current node status. locate the node you want to delete and click Delete node. It also displays the nodes’ current status and whether updates for the nodes are available. When prompted. click Delete to confirm the deletion. 297 . Click on the name to log in to the node. browse to the System > Central management > Overview page. To delete a node: 1 On the System > Central management > Child nodes page.Smoothwall Advanced Firewall Administrator’s Guide Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. To monitor node status: 1 On the parent node. for example: Node information is contained in the following fields: Field Description Name The Name field displays the name of the node. 2 Repeat the step above for any other nodes you want to delete. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: • Monitoring node status • Applying updates to nodes • Scheduling updates for application at a specific time • Rebooting nodes when necessary • Disabling nodes when necessary Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the Smoothwall system.

Critical – the node requires immediate attention. 3 Click on the displayed headings for more information. 2 Locate the node you want more information on and click on its Status text. For more information. To apply the updates to the node. see Accessing the Node Details Page on page 298. For more information. To access a node details page: 1 On the parent node. Accessing the Node Details Page It is possible to view detailed information on a node by accessing the node details page. The Schedule node update page is displayed. select when you want the updates applied to the node. To review and apply updates: 1 On the parent node.Centrally Managing Smoothwall Systems Managing Nodes in a Smoothwall System Field Description Status The Status field displays the current state of the node. The updates are applied to the node as specified in the previous step and the node is rebooted. Later From the drop-down list. Click on the node’s status field for more information. The node details are displayed. 5 Click Reboot node to reboot the node. Click Schedule update. The following statuses are possible: OK – the node is functioning and does not require attention. browse to the System > Central management > Overview page. see Scheduling and Applying Updates to One or More Nodes on page 299. 2 Click the Updates tab and then click the Status field of the node. Advanced Firewall displays the node details page. click Schedule update. Warning – the node does not require immediate attention but should be checked for problems. Click on the Updates text to display detailed information on the node. Updates The Updates field enables you to schedule the application of available updates. You can also apply updates to one ore more nodes immediately or at a later date. browse to the System > Central management > Overview page. . Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. Click on the node’s status field for more information. Click on the Status text to display detailed information on the node. 4 Click Refresh node to refresh the information displayed. 3 Click on the Updates line to review detailed information about the updates available. select one of the following options: 5 298 Option Description Now Select to apply the updates to the node immediately. Working with Updates You can review and apply updates to a node as they become available. 4 In the Install updates area.

To clear scheduled updates: 1 On the System > Central management > Overview page or the node details page. click Clear schedule.Smoothwall Advanced Firewall Administrator’s Guide Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. browse to the System > Central management > Overview page. select when you want the update(s) applied to the node(s). To apply updates: 1 On the parent node. browse to the System > Central management > Local node settings page. browse to the System > Central management > Overview page. Click Schedule reboot. To disable a node locally: 1 On the node you want to disable. 3 In the Install updates area. The node is rebooted. Disabling Nodes It is possible to disable nodes locally and system-wide. 3 Click Reboot node. select one of the following options: 4 Option Description Now Select to reboot the node immediately. 2 Locate and select the node(s) that require updates and click Schedule update. Click Clear schedule to clear the updates. under Updates. To reboot a child node: 1 On the parent node. want to stop replication settings from being applied by the parent. Clearing Schedule Updates It is possible to clear any scheduled updates. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. In the Reboot node area. Later From the drop-down list. e. The Schedule node reboot page opens. You can do this by disabling the child node locally. select when you want to reboot the node. The Schedule node update page is displayed.g. select one of the following options: 4 Option Description Now Select to apply the update(s) to the node(s) immediately. 299 . 2 Advanced Firewall displays the updates that are currently scheduled. 2 Locate the node you want to reboot and click on the Status text. you can reboot a child node from the system’s parent node. Rebooting Nodes When required. Click Schedule update. The node details are displayed. Disabling Nodes Locally You may need to work on a child node in a system and. Later From the drop-down list.

browse to the System > Central management > Child nodes page. 3 Repeat the steps above for any other nodes in the system that you want to disable system-wide. Note: On the parent node. 3 Repeat the step above for any other nodes in the system that you want to disable.g. 300 . on the System > Central management > Overview page. select Disable and click Save. nodes that have been disabled locally will be listed as Node uncontactable. To disable a node system-wide: 1 On the parent node. select Disable and click Save. e. 2 Locate the node you want to disable area. in the case of hardware failure. You can do this by disabling the child node system-wide. Disabling Nodes System-wide You may need to disable a child node in a system.Centrally Managing Smoothwall Systems Managing Nodes in a Smoothwall System 2 In the Local node options area.

The Core Authentication Mechanism This is a special type of authentication mechanism that uses the first interaction method exclusively. or sometimes no. it only ever asks the authentication system whether there is a known user at a particular IP 301 . usernames and passwords. • Identity verification – authenticate users by checking supplied identity credentials. i. Once a particular user is known. The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism. a matching username and password cannot be found in the local user database. supplied by network users.g. About Authentication Mechanisms All authentication-enabled services use the authentication system to discover what users are accessing them. Authentication-enabled services can interact with the authentication system in the following ways: • Passive interrogation of whether there is an already-authenticated user at a particular IP address.e.Appendix A Authentication In this appendix: • Authentication methods • WPA enterprise and Windows 8. the user's identity status will be set to 'Unauthenticated'. e. Credentials are verified against the authentication system's local user database. access to authentication-enabled services. Overview Advanced Firewall's authentication system enables the identity of internal network users to be verified. for onward authentication. usernames and passwords. Network users must provide their identity credentials when using an authentication-enabled service for the first time.e. • Identity confirmation – provide details of known authenticated users at a particular IP address. Verifying User Identity Credentials In order to authenticate users. an authentication-enabled service can enforce customized permissions and restrictions. A user that is authenticated can be described as being logged in. Advanced Firewall must be able to verify the identity credentials. and if so their details • Active provision of user-supplied identity credentials. Unauthenticated users are usually granted limited. i. against known user profile information. such that service permissions and restrictions can be dynamically applied according to a user's group membership. If the credentials cannot be verified by the authentication system.

if the original user fails to pro-actively log-out. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. Advanced Firewall’s DNS proxy server uses external DNS servers for name lookups. Internal DNS servers are specified using Advanced Firewall’s setup program. Time-out does not occur if Advanced Firewall can determine that the same user is still active – for example. About the Login Time-out The login time-out is the length of time that a user's authenticated status will last once they are authenticated.Advanced Firewall and DNS address. Choosing an Authentication Mechanism As discussed in the preceding sections. Some authentication-enabled services offer no choice of mechanism used – in such cases. if Advanced Firewall sees no activity from a particular user for the length of time specified by the time-out period.e. if the user is currently unauthenticated. Thus. longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights. as all DNS servers will have access to the same 302 . The login time-out affects the load on the local system. Time-out values that are too low may adversely affect system performance. This means the client assumes that it does not matter which DNS server it uses. However. all authentication-enabled services must use some kind of authentication mechanism to interact with the authentication system. Advanced Firewall can be configured to use an internal DNS server and the internal DNS server can. This is not the correct way to configure DNS servers on any client. it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials. If the user has not been authenticated by any other authentication mechanism. A value of 10 minutes is effective for most networks. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. However. be configured to use Advanced Firewall as its DNS forwarder. the second type of interaction occurs – i. External DNS servers are specified when setting up an Advanced Firewall connectivity profile. resulting in failed login attempts. for onward authentication. Advanced Firewall and DNS Advanced Firewall’s authentication service uses internal DNS servers for name lookups. in turn. Other Authentication Mechanisms All other authentication mechanisms use a combination of the previously discussed interactions. Lower time-out values increase the frequency of re-authentication requests. the user's status is returned by the authentication system as 'Unauthenticated'. If the user has been authenticated. the requesting service pro-actively provides end-user identity credentials to the authentication system. A Common DNS Pitfall Often Advanced Firewall is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. In this way. appropriate permissions and restrictions can be enforced by the requesting service. However. the authentication mechanism will always be 'Core authentication'. the user's authenticated status will be invalidated. by seeing continued web browsing from the same user.

Working with Large Directories The Additional Group search roots option enables you to specify several OUs in which to search for groups. When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain. Normally.Smoothwall Advanced Firewall Administrator’s Guide information. will not work reliably. the administrator enters the path for the primary OU and in the additional groups search. The administrator of the Active Directory domain has 2 OUs. A DNS client will behave in the following way when looking up a host: • If a reply of “host not found” is received. a search through the entire directory can take a long time and make the Advanced Firewall Include groups page unwieldy to manage. where the second OU is in the sub-domain sub1. This would probably take a long time to load and be hard to get an overview of. which takes the form of user@domain. the second OU is entered: User search root: dc=domain.dc=domain. for example. like Advanced Firewall’s DNS proxy server. Active Directory Username Types A user account on a Windows 2000+ server will have 2 types of usernames: • A Windows 2000+ username. In the groups search root. Setting the group search root to the top level of the directory would result in an Include groups page with 2500 entries. this no longer is the case. the client will try to ask another DNS server • The client will ask randomly between configured DNS servers Taking the above conditions into account.ou=users. one group search root may not be enough. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. With the proliferation of private networks and internal DNS zones. the Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames.dc=local The above example is for a multi domain Active Directory installation. which has no domain attached to it. where the groups to be mapped are located. Consider. 303 .dc=sub1.dc=local Group search root: ou=guardiangroups. When dealing with large directories. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group. it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work. a directory with 5000 users and 2500 groups. or at least. the client will NOT ask other DNS servers • If the DNS is not answering.dc=domain.dc=local Additional group search root: ou=networkgroups. The easiest way to do this is to configure the DNS server to use a forwarder. Active Directory The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication. but if groups are distributed in multiple OUs.local • An old style Windows NT 4 username. a specified group search root can help in narrowing the scope of where to search for groups.

the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. 304 . see Kerberos Pre-requisites and Limitations on page 304 • Try another browser for fault-finding • In Safari.About Kerberos In order for Advanced Firewall authentication to be able to successfully look up and authenticate Windows users. More than 5 minutes clock drift will cause authentication to fail • Internet E6 will not work in non-transparent mode. Kerberos Pre-requisites and Limitations The following are pre-requisites and known limitations when using Kerberos as an authentication method: • Forward and reverse DNS must be working • All clocks must be in sync. • Double check you are logged on with a domain account • When exporting your own keytabs: • Make sure the keytab contains keys with the same type of cryptography as that used by the client • The “HTTP” in the service principal name (SPN) must be in uppercase • The keytab should contain SPNs containing the short and fully qualified forms of each hostname. try the fully qualified domain name (FQDN) if the short form does not work • Check if the user logged on before the keytab was created? Try logging off then on again. About Kerberos The following sections document Kerberos pre-requisites and list some points to try if troubleshooting. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in. Accounts and NTLM Identification When using NTLM identification on an Active Directory server that has been set up with no preWindows 2000 access permissions. • Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on again. a Windows 2000+ username needs to be present. Troubleshooting Check the following when troubleshooting a service that uses Kerberos: • Make sure all the prerequisites have been met.

button. 2 Ensure Microsoft: Protected EAP (PEAP) is selected in the drop-down list. 3 When asked where to install the certificate. 3 Ensure Validate server certificate is selected.. 10 Click Change Connecting Settings. 9 Click OK. Import the CA certificate on the device: 1 Double-click on the Certificate file. The following describes a process of setting up an 802. and select Trusted Root Certificate Authorities. USB flash drive or CDR media. 11 Ensure Specify authentication mode is selected. 5 Select WPA2-Enterprise as the security type. Prepare the CA certificate: 1 On the Advanced Firewall WPA Enterprise. Click the Install Certificate. 7 Leave Security Key blank. 10 Click on Advanced settings. 4 Enter the network name (SSID) into the Network Name box. e. A profile must be created manually. 6 Deselect Do not prompt user to authorize new servers or trusted certification authorities. Modify security settings of network profile: 1 Select the Security tab. and change the drop-down option to User authentication. 305 . 2 Click Set up a new connection or network.Smoothwall Advanced Firewall Administrator’s Guide Connecting a Windows 7 System to a WPAEnterprise/802. then click Settings. 5 Ensure the imported root CA is selected in the list under Trusted Root Certification Authorities.1X wireless network without certificate validation. 6 Select AES as the encryption type. click Browse. and click OK. 8 Select Start this connection automatically to connect as the network becomes available. 4 Ensure Connect to these servers is not selected. 9 Click Next. 1 Access Network and Sharing Center via Control Panel. download the certificate file. 7 Ensure Secured password (EAP-MSCHAPv2) is selected under Select Authentication Method. click Configure and deselect Automatically use my Windows logon name and password. 3 In the window that appears..1X Wireless Network Microsoft’s Windows 7 operating system is very strict on how 802. 2 Windows will present the certificate details for inspection.1X/EAP wireless networks are connected. it is not possible to connect a Windows 7 system to a WPA-Enterprise/802. 2 Copy the certificate file onto a suitable medium for transfer to the device. Create a wireless network profile: It is not possible to join the wireless network from the notification area icon as Windows defaults to incorrect settings for the network. Without the use of registry hacks.g.1X authenticated wireless network under Windows 7 without the use of registry hacks. select Manually connect to a wireless network. 8 If your wireless network credentials do not match your Windows log on credentials.

using: netsh wlan export profile name=”SSID” This exports the details to an xml file. 4 Open up the command prompt.1X Profile Migration 1 After following the above instructions on how to setup 802. Connect to the wireless network 1 Click on the wireless network icon in the notification area. 3 Install the certificate to the Trusted Root Certificate Authorities. log in to the command prompt and export the wireless profile. 2 From the wireless network list.xml” Login with your user credentials. navigate to the location of the xml file and enter: 5 netsh wlan add profile filename=”wirelessprofilename. 2 Copy this xml file and the root certificate presented by Advanced Firewall to the target machine. enter your username and password.1X on the first machine.1X Wireless Network 12 Click OK. 306 . If you did not deselect Automatically use my Windows logon name and password you will not be prompted. select the wireless network required and click Connect. 13 Click OK. Windows 7 802. You should now be connected to the wireless network. 3 When prompted.Connecting a Windows 7 System to a WPA-Enterprise/802.

retrieving data as appropriate and assembling it as the template dictates. A template in that metaphor is analogous to the instruction sheet for the building blocks. The act of building it takes the template and finds each of the individual blocks. A template is as described above nothing more than a structured series of sections. 307 . A template is a series of report sections and their configuration which contains instructions for extracting and manipulating data from Advanced Firewall and producing a report by filling in the template’s sections. It has shape.Appendix B Understanding Templates and Reports In this chapter: • How to use custom reporting Programmable Drill-Down Looping Engine The Advanced Firewall reporting system is divided into two conceptually different ideas. those of templates and reports. A report section can be considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. To this extent a section has a variety of inputs and a number of outputs. These can be connected to each other where the input and output types are equivalent in the way that jigsaw pieces can be connected if their input and output facets match. color and provides some information however its power is better expressed when used in combination with other blocks to build more complicated and more interesting shapes. it shows how to assemble the blocks together to produce the report which is analogous to the finished model.

The name is clearly the name of the report template as it appears in the reports section. It has the instructions and the pieces but is still not quite ready for a user to play with. remove and manipulate the sections which it contains. The description field is actually unlimited in length and reasonably permissive in the characters it may contain. In the building block metaphor a report template is the instructions alone. however the key difference is that a report is a combination of several things. When editing a report template. the description and icon options are equally obvious as to their use. For the bulk of users. for this purpose the edit a copy of this report option should be used. The difference between the two is perhaps moot for the most part. Once a report template has been created it may be edited (including changing its name) via the edit this report link under the report icon on the reports page. Long descriptions will be truncated in the interface for brevity however the full version of the description will appear under the report template’s advanced options. Creation and Editing Creating report templates is done via the Advanced Firewall custom page. what it has been doing historically and where their users may have been attempting things with nefarious end. with the terms report and report template are used in this appendix where the distinction between the two is deemed important. While editing a report template is a useful feature. the report template used to create it and the data which was extracted and interpreted along with its interpretation. Exporting and Drill Down Reporting The term reports has been made deliberately ambiguous and is now used to describe both a report and what was formerly known as a template. the distinction between what is a report and what is a report template is unimportant. name and description. there are occasions when it would be better to simply alter or manipulate an exact copy of a report template. or a copy of a report template the preview button may be used without making changes to the existing template. Changes will only be saved to the desired report template when the create report option is used. which gives rise to the ability to add. Note again that the Edit report option on the Report display page (seen while viewing a rendered report) is analogous to the edit a copy of this report option seen from the reports page. Viewing Reports. 308 . The description of how to do this is covered elsewhere however there are a few details which allow for some level of flexibility. each will eventually show them a set of details about what their system is doing.Programmable Drill-Down Looping Engine Example Report Template Example Report Report Templates. Advanced Firewall is the warehouse full of bins of pieces and a report is the final boxed model ready for building. This will take a copy of all the report’s options and sections while leaving the original report template unchanged. Each report template can be assigned an icon.

and while viewing a rendered report it is possible to change the date range over which the report data is accrued. 1 Retrieve assembly instructions. i. this renders the report out into HTML. The formats available are: • Adobe PDF Format • Adobe PDF Format (suitable for black and white printers) • Microsoft Excel format • Comma Separated Value (csv format) • Tab Separated Value (tsv format) Due to the nature of a report and the rendering options. Excel.e. i. 3 Place all the required pieces into a box along with its instructions. The Recent and saved page shows the list of boxed models ready for assembly. the answer to which is reasonably simple. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods. 309 . Note this would require the regeneration of the report data afterwards. CSV or other formats.Smoothwall Advanced Firewall Administrator’s Guide This should leave the question so when does the model actually get built. but do deserve some explanation. 2 Collect necessary parts from warehouse. basically the construction of a rendered report requires the following steps to be undertaken. Changing Report Date Ranges From the reports page. it is the instruction sheet for building the model. while HTML output is the most commonly used there are additional formats which might allow for further analysis or interpretation of data. generating a report will conduct steps 2 and 3. only the way it is presented.e. i.e. These stages are always transparent to the user. again using the building-block metaphor. executing it. making the export process relatively quick in comparison to the generation process. The Reports page lists the report templates or instruction sheets. A report template provides the first stage of this process. changing the rendering method does not regenerate the report. Changing Report Formats The reporting system provides multiple output formats. Thus any saved reports can be exported exactly as is without the need to regenerate them. PDF. 4 Assemble the model and present to the awaiting small child. clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model.

which may be saved accordingly. such as URLs or IP addresses can present additional information which might not be apparent from the result itself. this will produce a tool-tip which contains more information about the result. The table of contents is automatically generated and is based upon the sections contained within the report itself. that both these actions will generate a new report. At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be used to skip back to the top of the page where both the table of contents and rendering format options are presented. the preview button here will regenerate a new report according to those date ranges. clicking on either the report template name. 310 . its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page. Navigating HTML Reports The HTML rendered version of a report contains a table of contents for quick and easy navigation within the report. For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared. Note again. From viewing a report the date controls appear at the top right of the page next to the table of contents view.Programmable Drill-Down Looping Engine From the report page. URLs too can contain more information than is immediately apparent from viewing the URL. Interpreted Results Some results. This table is accessed by clicking on the contents button in the top left hand corner of the report when it is being viewed. To activate the Advanced Firewall’s advanced interpreter simply hover the mouse over the desired result. Features such as feed-forward and iterative reporting are reflected as titles within the report and consequently as a level of indentation in the table of contents.

This is achieved in numerous ways depending upon location. the user has used the advanced interpreter to show the result for a YouTube video. and can therefore be used to produce a new report with refined options. It is also important to note that a saved report is format-less and as such can be rendered to HTML.Smoothwall Advanced Firewall Administrator’s Guide For example: In this example. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself. domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL. any associated parameters but has also retrieved the video title. pdf. This option will present the Custom page with the report template used to generate this report already loaded. 311 . Saving Reports Reports can be saved for viewing later if this is desired. csv etc as desired. The URL in question has been truncated to show only the immediately relevant information (the protocol. Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day. description and thumbnail from the YouTube server. Changing the Report Once a report has been generated the report template used to create it is stored alongside the report data itself. Saved reports are listed on the Recent and saved page under the reporting section. When viewing the recent and saved page. The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner. Note again that this is a copy of the report template and so may be manipulated as desired. deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report. alternative date ranges or saved to appear on the reports page. While viewing a report there is an edit report button presented underneath the table of contents which leads to the Custom page with the report template used to generate the viewed report already loaded. and can be viewed. underneath the report’s icon is a link to Edit report.

When a result has more than one related report associated with it then clicking on the result will produce a menu of the available related reports. however this is a manual process which allows for a particular result to be investigated further. clicking on the relevant option will result in generating the relevant related report. these are pre-determined report templates which will allow further investigation relevant to the item in the section in question. 312 . when a particular result has only one related report available clicking on the result itself will lead to the related report for that result. and the section which is being used. suggested drill down reports might allow for a report on the actual sites visited by an individual user. Drill down reports will be stored notionally underneath the report in the recent and saved section. To better illustrate this behavior. This list would present a series of usernames.Programmable Drill-Down Looping Engine Investigating Further (Drill down) Each report section when it is generated can present a series of related or drill down reports. the full web activity for that user and so on. Note the list of related reports is determined by the report section and cannot be altered. This is in a way analogous to the feedforward reporting which will be discussed later. Related reports are presented in a variety of ways depending upon the number of options available. imagine a report taken from Guardian which lists the top users who have requested internet sites via the Guardian content filter.

Note that sections cannot be moved outside of their containing folders. sections can be included anywhere in a report and ordered to make logical sense to the reader. existing template reports are also included in this list so that. with the sections belonging to each module categorized accordingly. Note multiple sections can be added at once. grouping and refining a number of sections into the correct set of instructions for the Advanced Firewall’s reporting engine to interpret and use to extract and manipulate data from the Advanced Firewall’s logs. The available sections list is structured as a simple tree. To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. which shows a simplified form of the sections currently included in the template report being edited. Groups are shown as folders in the included sections list. To reorder a section simply select it from the Included sections list and press either move up or move down depending upon which direction you wish to move it. On the right of the available sections list is the included sections list. Subsequent modifications to the template will not update any other templates that include it. It should be noted that when a template report is included within another template report its options. Ordering Sections Save the caveats detailed under grouping sections. A list of available sections is included on the Custom page under the heading Available sections. and that sections can appear more than once in a template report. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured. 313 .Smoothwall Advanced Firewall Administrator’s Guide Creating Template Reports and Customizing Sections Report templates and customized sections are managed and manipulated from the Custom page on your Advanced Firewall’s interface. and sections are copied into the template at the time of its inclusion. once created they can be included into new report templates without having to redefine them. the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above. Creating templates is a matter of choosing.

This indicator shows which options are grouped together and allows for them to be quickly collated together. and does not bear any influence on the report creation. the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. For feed-forward groups. Each option may be overridden by means of ticking the corresponding checkbox. but require the same value. with a visual indicator allowing them to be related to their grouped counterparts. The second option is a drop down list of repeat options.Programmable Drill-Down Looping Engine Grouped Sections Many of the underlying concepts in Advanced Firewall’s reporting system are based around the notion of grouped sections. for example if two options are given slightly different names. They may also contain single sections. This may be any number of common user interface 314 . and where the value comes from. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user. Grouped options will be included for each section here alongside regular per-section options. For example. which may of course be standard groups. these sections could be grouped together and share the username option. the variable to iterate over can be chosen from the options common to the grouped sections. this name provides a group to be given a title which will help with understanding the template structure. When options are grouped together they will be presented as an option in the group under a section called grouped options. a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet. Next to the override option is a small description denoting why the option is inherently disabled. fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. Understanding Groups and Grouped Options The first details shown in a group are a text entry field allowing for the group name to be changed. this is used for controlling iterative and feedforward reporting and will be discussed in the appropriate sections. logically similar sections to share options. feed-forward or repeating. Options which are not grouped. For iterative groups. meaning that the value will be assigned by the parent group. Groups also form the basis of both iterative reports and feed-forward reports. Primarily grouping options is done to allow multiple. iterative or feed-forward groups. An option with an override will use the value given to that option rather than the option it receives from its grouped parent. thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them. Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used. They may also have a small visual indicator shown next to them in both the grouped options section as well as the regular options panel for each section. the results of a feed-forward section or from one of the list provided in an iterating group. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview. Both of these sections have a username field. A section group is a logical construct which allows for logically connected sections to be collated together. a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section. This may be grouped. which are simply special cases of section groups. The list of sections contained within the group is listed below the grouped options each in its own collapsible section. allowing for it to be entered only once when the report is generated. Groups can contain other groups.

feed-forward is actually a special case of iteration. These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. However. In this example the Network Interfaces report can produce one or more Interfaces. Note that while it was covered first. as well as include the Network Interfaces report. Naturally a feeder must be included before the sections it is feeding. this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. These in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall. where the list of values to be iterated over is produced as the list of answers from a particular report section.Smoothwall Advanced Firewall Administrator’s Guide elements (checkboxes. For this reason it may be desired to repeat a section using mostly the same options. Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated. a single group. For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. username or IP address for example. Feed-Forward Reporting Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired. Note that there is potential overlap here. select boxes. take the Network Interfaces and Individual Network Interfaces sections. but needs to be supplied with the name of the interface for which to provide details for. and therefore it is removed from the normal section ordering and placed above the grouped options list in the group’s display. text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value. To lead by example. 315 . This information provides limited details for the network interface such as its IP address and other details. however it does not show monthly usage statistics. Iterative Reporting Some report sections only deal with a limited set of data. and then display the advanced usage and bandwidth statistics from it. To allow for this the reporting template system in Advanced Firewall allows for a section’s results to be used as the source of options for subsequent sections. By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for Advanced Firewall. which is one of the options for the Individual Network Interfaces section. The Individual Network Interfaces section can provide this information. or those which are configured for internal or external networking. but with one particular option changed each time. Group Ordering Sections within a group can be re-ordered. rather than the complete picture. feed-forward would produce a list of all internal interfaces. In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. and if the desired result is a list of all the local interfaces then feedforwarding could be used instead. There are exceptions to this rule however. Any overridden options will also be displayed and entered in this manner and. when provided will replace values as would be expected.

moving all its contained sections to the same level on the included sections tree that the group previously occupied. the Network ARP Table section produces a list of interfaces which the connection is on. For example. Note. To create an iterative group. that they must produce the list of results to iterate over prior to iterating over them. Group Activity Section 20 x User Activity Section 50 x URL Activity Section 316 . iterative or grouped options. Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from. the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible. this will form the basis of the feed-forward. Creating Feed-forward and Iterative Groups Creating a group construct for use with feed-forward or iterative operations is done in the same way as creating a normal group. however generally results such as username should be taken to be suitable for feeding a username field. It should be noted that when feed-forward is desired the section producing results should be included in the group when it is first created. Options which may be used in this way are included under a heading (in the drop down menu) of based upon grouped option and the list will contain most of the options that the grouped options section contains. Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. Ungrouping a group will disband that group. ungrouping sections will remove any properties that the group contains. Some care should be taken when choosing sections to flow into each other. For example. although a group can contain any number of items including other groups. the group folder will then be removed. However. Note that only sections at the same level in the included sections tree can be grouped together. that option is no longer available in the group. Feed-forward results pass from one variable into another. however this time under the Repeat drop down a list of sections is included under the title using results from a section. but not always identically for the sake of clarity. the desired sections should be grouped and the option which will form the basis of the iteration selected from the Repeat drop-down which can be found immediately above the grouped options section for that group.Programmable Drill-Down Looping Engine Grouping Sections To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Additional caution should be taken when considering feed-forward reports as to the volume of data produced. this section is removed from the normal flow within the group and is instead included as a feeder section. By choosing a section to feed-forward the results from. Creating a feed-forward enabled group is done in a similar manner. and so may affect any feed-forward. this would result in the following execution tree. The result is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section. When iterating over a grouped option. however the variables are named in a way which makes them human readable. a report which shows the top 20 groups within an organization. as well as the bottom right hand side of the section’s description in the available sections list. The results returned by each section are visible under the results tab on the section in question. along with the potential work load that this would require on Advanced Firewall. This is due to the nature of feedforwarding reports.

Smoothwall Advanced Firewall Administrator’s Guide 100 URLs Hence. Exporting Options Each report section provides a list of options which define its behavior. assuming a reasonable time period for the calculation of each. 20x50x100 URLs. It is for this purpose that section options may be exported. In this particular example a domain activity section could be included in a report template. such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it. choosing to export the username field prior to creating the report template would mean that the username field is present for this template report on the reports tab on the Advanced Firewall main interface (Logs and reports > Reports > Reports). Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page). This behavior may be defined at a later stage to make the report template truly flexible. 317 . or potentially the results for a thousand users. Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. which can be changed by the person using the report template. similarly typing a username into the section’s username option (on the options tab) allows the template report to create a default username. It would also require the execution and calculation of the top URLs section up to a thousand times. however it would also have the added effect of allowing a user to turn this option off when using the template. and hundred thousand URLs. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned. Swapping to the export tab would show a list of all the available options for this report. and have its Denied status checkbox enabled.

Email Firewall and networking System Trends Users IP address analysis IP address analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Top IP addresses Top users User analysis User analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Web content Per category Blogs Blogger Blogs WordPress Category analysis Image and video sharing Dailymotion Flickr Fotolog ImageShack ImageVenue YouTube 318 .Reporting Folders Reporting Folders Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template. Report templates are structured into one of the following folders on a standard Advanced Firewall installation.

This option contains an indented drop-down list of available folders. 319 .Smoothwall Advanced Firewall Administrator’s Guide News BBC News CNet CNN News Slashdot Reference and educational IMDB Shopping and online auctions Amazon Wikipedia Craiglists Ebay Shopping and online auctions Social bookmarking Delicious Digg Reddit Stumbleupon Social networking Bebo Facebook Friendster Hi5 Linkedin Myspace Orkut Social networking Twitter Sport BBC Sport ESPN Sport Web portals and search engines AOL Google Search engines Windows Live and MSN Yahoo Site analysis Top categories Top domains Top URLs Top web searches The destination folder for a report template can be set when creating the report template itself by means of the Location option. report templates can be placed in any folder as desired.

Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled. which is the main location to use to find report templates and report folders. Renaming Folders Deleting Folders Folders can be deleted from the Reports page by pressing the red cross icon immediately below the folder image. so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder.Scheduling Reports Folders can be created or deleted from the reports page. Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder. A location bar is also present along the top of the Reports page which allows users to navigate the folder structure. Options exported to the Reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template. It also provides the ability to rename folders and edit and remove report templates. Note. the intervals available are: • Daily – each day at the time allocated • Weekday – each working day (Monday to Friday) at the allocated time • Weekly – every week at the allocated time on the same day of the week as the first report. 320 . Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders. Only empty folders can be deleted. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email. Scheduling Reports It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Note that report folder names must be unique at the same level. Scheduled repeats allow for the automated generation of reports at specific intervals. numbers and a limited set of punctuation symbols. Folder navigation is achieved by clicking on the folder name. this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded. A new folder should be named using letters. Repetition can also be disabled if it is not desirable to receive a report at regular intervals. Creating a Folder To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar. this will create a new folder called new folder with the ability to rename it. • Monthly – every month at the allocated time on the same day of the month as the first report.

some sections generate results which are intended for use in feed-forward reports and are only really useful in that context. and display those results in the final rendered report. 321 . Reporting Sections Generators and Linkers Reporting sections can be divided into principally two types. While all report sections generate results. To clarify this. a report template will generate a report when it is used. This is achieved via a report. or a particular report template. Normal report permissions allow a user via the portal access to either a particular report. When it is generated via the portal this report will by default only be available to the user who created it.Smoothwall Advanced Firewall Administrator’s Guide Scheduled reports can also be made available to particular portals using the report template’s portal permissions. regardless of which portal that user was in. generators and linkers. or to one or more other portals as desired. Portal Permissions Reports can be made available to individuals who do not have access to the Advanced Firewall administrative interface via the Advanced Firewall user portal. Automatic access allows a user’s reporting activity to be made available to other users via the portal. There are two variations to portal permissions which dictate exactly how a report might be used. Automatic access allows this report to be made automatically available to other users who share the author’s portal. Since portal permissions can be configured to behave differently depending upon the portal the generating user is assigned to it is possible to assign a specific portal for the scheduled report to be generated by. The Automatic access permission of portal is a special permission which allows a generated report to be assigned to all members of the portal belonging to the person who generated the report. or report template’s portal permissions. Access in this context means that they are able to generate and view the report data.

reports which might not be able to associate activity with a particular username. This information is perhaps informative. these will be covered later. there are however several big reports which defy such description and require a more in depth discussion. the IM module provides tracking of Instant Message conversations. The IM module however does record the IP address used in these conversations. configuration and recent network activity for each interface. so using a linker section such as the one described above would be able to feed from a username. 322 . and the time period during which they were using it. including any internal NIC interfaces. modems. Includes details about the hardware. however users are unlikely to (not to mention forbidden from) using their work usernames as their local usernames for such conversations. However the results. VLANs and VPN interfaces. the Guardian module provides a report section entitled Per user Client IP addresses. but not particularly. to an IM conversation. For example. Standard sections will show up in the available sections list in a manner similar to the following. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs.Reporting Sections For example. By this mechanism it is possible to deduce the IP address a user has been seen to use. Client IP address and Time-Period are both filters which can be applied to other reports. This shows the section’s description. External NIC interfaces. title and any results that are returned for use in the system’s feed-forward ability. to an IP address. It will also show the timestamps that these hits occurred at. This report section lists the interfaces available on Advanced Firewall. General Sections The bulk of Advanced Firewall’s reporting sections are reasonable easy to describe and are detailed quite well by their descriptions. Network Interfaces A list of the configured internal and external network interfaces on the system.

com but also stumbleupon. protocol and domain. Separation is effectively done from the right hand side backwards. companies and organizations using a variety of load balancing techniques. domain and parameters or the parameters themselves.stumble-upon. a URL entered into the Advanced Firewall reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from.Smoothwall Advanced Firewall Administrator’s Guide The options available to this interface allow you to discriminate between Internal. To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired. This section returns an interface which may be passed into a report section such as the Individual network interface report section.com. curious URLs. External and VPN interfaces as well as the ability to show or hide any disconnected interfaces.com a common enough concept with regards to the absence of www. For example. However some explanation is required as several of the more advanced features of the Guardian reports require some manipulation of the URL. especially due to some web sites. The Anatomy of a URL URL processing in the Advanced Firewall reporting system is achieved via a series of mechanisms which automatically split a URL into a number of internal parameters which are used to speed up data processing and achieve the desired results efficiently and with minimal need to understand the dynamics of how an individual web site is constructed. However it also receives some of its content from cdn. For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting system into dealing with URLs as regular expression matches rather than strict matching. the protocol. A URL which starts with a character other than / and does not end with :// is viewed as being the domain.com and stumbleupon. A Advanced Firewall reporting URL is extracted into three distinct components. sub-domains and a variety of techniques which can only have been considered a good idea at the time.stumbleupon. StumbleUpon a Social bookmarking site exists not only at the domain www. so any URL starting with / would be viewed as simply the parameters. A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol. domain and parameters. As can be seen. Deciphering a URL can however be a none trivial task.stumble-upon. 323 . URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol.

Exception. it may be that it is whitelisted. searching for options other than CONNECT will provide results which may have been subjected to HTTPS interception. Hence. Guardian however also logs connections made to HTTPS servers where the content of that communication has not been intercepted. Exception – The site in question was not filtered for one of several reasons. indeed. The meaning of these is covered below. the client IP/Group is not subject to filtering etc. This shows content which contained a number of phrases which elevated its score. Denied – This denotes sites which were blocked by the phrase or URL filtering in the Guardian product. the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports. Note however that this can change the ordering of the results. The reasoning why the page was banned can be determined by adding the include status option on those reports which support it.Reporting Sections These options can be turned on individually for the protocol. HTTPS connections start with a HTTP CONNECT request. Infected or Modified. those being Almost blocked. soft-blocked. other than the protocol there is nothing to distinguish HTTP and HTTPS methodology. A URL may contain one or more of the following status messages. if the connection is not being intercepted this is the only part of the communication which is logged. To differentiate between the two it is possible to set the HTTP request method (optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted and that which has not. but did not quite cause the site to be blocked. Guardian Status Filtering Each URL which passes through Guardian is subjected to a level of filtering. HTTP Request Methods and HTTPS Interception The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no differently to a non-HTTPS site in terms of its logging. temporarily bypassed. 324 . domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible. Almost blocked – This denotes any result whose score for phrase analysis was between 90 and 100 (the default score over which a result is blocked). Denied (or blocked). If the connection is being subjected to HTTPS interception then the requests within the connection are additionally logged. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT.

‘of’. group. ‘in’. ‘to’. Discovering search terms and showing them is achieved with the search engine search strings and terms report section. This might be due to a security rule (such as removing JavaScript etc). ‘und’. client IP address and Guardian status are presented for this report. ‘how’. 325 . ‘the’. ‘when’. ‘an’. about’. or the entire phrase which was searched for. ‘at’. however the section is essentially designed to show the top search terms. this list is as follows: ‘i’. ‘with’. however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report. or to enforce AUP concepts such as safe search. Search Terms and Search Phrases There are three facets to the search term reporting on a Guardian system. Search terms are denoted as being either an individual word. or phrases that have been encountered within the Guardian filtered URLs. ‘com’. Search words and phrases are assumed to be case insensitive. ‘was’. ‘this’. Words such as ‘and’. ‘who’. ‘what’. ‘of’ and ‘the’ are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching drop-down box. searching of search terms. ‘de’. Additional filtering options for username. ‘en’. ‘are’. ‘la’. filtering by search term and selecting banned search terms. ‘earth’ and ‘destroyer’ and one search phrase. ‘it’. as the vast majority of searches are done regardless of capitalization. ‘will’. This section has a few peculiarities to its options which will be covered below. ‘from’. ‘where’. ‘on’. ‘by’. Note that the search term reporting will treat any quoted strings as a single search word. For example: Searching for ‘babylon 5’ earth destroyer would be considered to be three search words. Search terms. Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options. ‘the’ and ‘www’. ‘be’. ‘a’. unlike search phrases can additionally be restricted to omit grammatical sugar or stop words.Smoothwall Advanced Firewall Administrator’s Guide Modified – Determines content which was modified as it passed through the Guardian filter. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options. The list of common search terms is taken to be the list of words omitted by the Google search engine. ‘that’. ‘for’. ‘is’. ‘or’. ‘babylon 5’. ‘as’.

client IP address or group filter etc. Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase.Reporting Sections Filtering by Search Terms As explained earlier individual Guardian reports can be filtered by the search terminology they contain. however only a few of them are relevant to the discussion of its operation. URL Extraction and Manipulation The Advanced Firewall reporting system for Guardian contains an advanced reporting section called URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract information from the Guardian logs. For example it is possible to show the top ten domains which contained a search request for the word badger. which in this example is a regular expression URL which refers to the BBC news web site. This filtering is achieved by using the individual report sections Search term matching options presented under an individual section’s advanced options. changing the number of results or any username. The most important option for this report section is the URL. those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results. To search for blocked search terms this filter can be used in combination with the Guardian status filters. The protocol and domain fields in the URL 326 . This reporting section has a lot of reasonably complicated options.

stm) page from the BBC News web site.com/get_video?video_id=6rNgCnY1lPg http://www. the top news articles. thus for each of the reconstituted URLs the system would retrieve the HTML (. the other is the article name. The parts of the URL extracted by these matching parts of the URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL.uk address version.Smoothwall Advanced Firewall Administrator’s Guide in this example are reasonably straight forward. however the system would then have to construct a probable URL for the content. the parts between the opening and closing brackets. in this case. there are two matches which are extracted from the URL. extract the <title> section from the page header and include it in the report. In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL. However. Rebuild and include example URL – As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results.com or . would be used to uniquely identify this URL. Of these two parameters one is the section from the BBC news site this article is from. Recognise common URLs – This option allows the reporting system to recognise common URLs for known sites. The Match to extract from domain and Match to extract from parameters options present which regular expression match ($1. This can be straight text. 327 . ( ).youtube. if a BBC news article URL is considered: http://news. this reconstructed URL is included in the report alongside the match. To elaborate on this matter both of the following URLs: http://www. or the ability to extract a page title from a HTML page’s header. even if it is not the actual URL that was encountered. being the value of 7878769 or the article number.uk/1/hi/technology/7878769. This includes the ability to extract a YouTube video name from a YouTube video ID. $3 etc) to extract from the URL for the purposes of identifying unique content. they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section. In this example we can see that the option is enabled.co. in this example we can see that the parameter match 2.co. When this option is ticked.co. In this example. in this case.uk/get_video?video_id=6rNgCnY1lPg are for the same video. This would mean that entering the option technology into the Parameter match field would produce the top 50 news articles from the technology section of the BBC News web site.stm The two matches would provide technology and 7878679 as matches. and could be matched accordingly (giving two hits for this video). In these cases the reconstructed URL is a potential URL that might have been used. $2. which would in this example reference either the . Domain match and Parameter match – these options allow for additional information to be fed into the searching and will replace particular matches in the URL with the appropriate values. The options of Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL. Results title – This report section is feed-forward enabled and can produce a list of regular expression URLs to identify and extract matching content.bbc. The parameters field however does contain two regular expression matches. or can reference one of the result’s feedforward values by means of a wildcard. For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box.youtube. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches. some sites such as YouTube for example can host several different URLs for the same video ID. Note.

we can see that %matchtitle% is used as the value.*) to accommodate YouTube being hosted via multiple domains. or class of machines. Note: The list of originating systems does not include a list of individual MobileGuardian installations as there may be several dozen or more of these. In this case. In this example the URL extraction section is being used to display the top 50 video results from the YouTube site. In this manner. this time the domain also includes a series of wildcards (. The URL once again contains a series of regular expression matches. %parametermatch% or %url% could be used. When these results are aggregated onto a central reporting Advanced Firewall system they each contain a unique identifier to state where they came from.Reporting Sections In the above example. 328 . which would present the feed-forward result of matchtitle as the title for any feed-forward sections. This identifier can be used to filter particular results to have originated from a particular machine. This means that the section can easily be tailored to accommodate new web sites. The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the individual machine to be used to restrict the results. the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no in-built understanding of the site. sub-domains and TLDs. or internal web sites which may be processed by Guardian but outside of the scope of the standard templates. Several Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter. Origin Filtering Advanced Firewall contains the ability to aggregate reports over several different machines. Alternatively values of %domainmatch%. %matchtitle% would be the <title> extracted from the relevant HTML page.

329 . By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.Smoothwall Advanced Firewall Administrator’s Guide Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind.

Reporting Sections 330 .

hubs and cables etc. • There is a problem at your Internet Service Provider • Advanced Firewall has ping disabled via the admin interface • Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate Ethernet card. that the IDs. Failure to get a ping echo would indicate that: • The remote Advanced Firewall is not running • You have the wrong IP address for the remote Advanced Firewall • There is a network connection problem – check routers. there must be a default route (gateway). In particular. unless they are using an unusual client that requires one. i. Likewise the Alt (Alternative) Name field must be unique for each certificate. The subject is a composite of the information fields supplied when the certificate is created. For example: • Hosts on static IPs should use the hostname for the gateway as the ID. attempt to get a connection with shared secrets before moving on to certificates. IP addresses and Remote network addresses are mirrored. • To simplify the problem. they cannot both use the default of 192. ensure there is no conflict with another network address.0. • Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP.0. • Hosts on dynamic IPs should use the administrator's email address. • Verify the symmetry in the tunnel specification. it is possible that one of the ISPs involved is blocking the ESP or AH packets. Obviously fields like company name can be common to all certificates.Appendix C Troubleshooting VPNs In this appendix: • Solutions to problems with VPNs. Be consistent with IDs. This is where most people make mistakes. 331 . • Each node on the VPN network must have its own unique certificate. AH mode uses IP protocol 50. Likewise. Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. Specifically.168. ESP mode uses IP protocol 50. • Check the routing information displayed in Advanced Firewall's status page. Site-to-site Problems All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software. • A different local network address must be configured at both ends of the tunnel. if the tunnel goes into OPEN mode but no packets will flow between the two networks. • Clients should usually not use an ID. At least one field in the subject must be different.e.

you can also enable debug logging on the Windows client. the connection will be refused because the certificate is not valid. then the problem to be solved is the same. If a road warrior were to connect in. network browsing is facilitated via network broadcasts. Note that the error messages produced by the L2TP client can be somewhat strange.com/default. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. Check the IPSec logs first when looking for causes of problems. or 0 to disable it. because the vast majority of parameter values are predefined it is generally not likely for an IPSec protocol error other then a certificate problem to occur. the VPN service must be restarted. However. it is necessary to make sure both ends of the tunnel are properly configured. If you are familiar with setting up multiple subnets of Windows machines. such as routers and VPNs. There must be a CA certificate. Also verify the certificate is within its valid time window. Microsoft's L2TP client does not produce any log files. MMC has facilities for verifying that a host certificate is recognized as being valid. From the command line: net stop policyagent followed by: net start policyagent The log file will be in Windows system directory: \debug\oakley. As a last resort. Incorrectly altering registry values may result in registry corruption and render the computer unusable. Set the value to 1 to enable logging. First of all. it would be unable to browse the network unless the administrator has configured the network to enable it. for instance.log The following URL is Microsoft's own guide to debugging L2TP connection problems: http://support. In these small networks. and the time is set incorrectly by only an hour or so. as well as a host certificate.aspx?scid=kb. If the certificate is newly created. After changing this value. This can make diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues. network neighborhood will just work without any configuration required. 332 . This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. This is because network broadcasts do not normally cross network boundaries. though. Windows Networking Issues In order to facilitate network browsing under Microsoft Windows across the VPN.en-us. present in the system. you must create a registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle y Add a REG_DWORD value named 'EnableLogging'. Modem not responding can mean that there was an IPSec certificate error.microsoft. Enabling L2TP Debugging In a default configuration. single subnet Windows networks. verify the correct certificate is installed using the Microsoft MMC tool. The most likely reason for a failure at this stage is an incorrect or invalid certificate. In small.325034 Note: Smoothwall does not endorse manually editing the registry.L2TP Road Warrior Problems L2TP Road Warrior Problems The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. To enable IPSec-level logging if you are using Windows 2000 or XP.

normally running on your PDC. such as two subnets of Windows machines with a VPN between the two. For inexperienced Windows administrators. These parameters are configured in the Global Settings page. you will require a WINS server. the problem to be resolved is identical to that which the administrator would face with two normally routed networks. 333 . Any road warriors connecting in should also be set to use this WINS server. If this is done then when they are connected to the office network via the VPN. or have one on each and configure a replicating system between the two. the details depend on the client in use. Again. attach to printers and shares. This WINS server is analogous to a DNS server for the Windows machines. For NT networks. the following notes are provided to assist with configuring your network to enable network browsing across the VPN.Smoothwall Advanced Firewall Administrator’s Guide In the case of road warrior connections. In more complex arrangements. Each of your desktop machines and servers should be configured to use the central WINS server in its network properties box. etc. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. they should be able to browse the office network. it is necessary to set-up either one WINS server and share it between the subnets.

Windows Networking Issues 334 .

0 Comment: External Alias .255.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.1.0 Comment: External Alias .1.e.1.1.168.2 2 Alias IP: 216.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .168. i.1.3 Next.3 | Netmask: 255.168.168.1.168.255.255.3 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .2.1.1.3 POP3 335 .168.1.255.168.3 – This server will have an internal IP address of 192. Basic Hosting Arrangement In this example. Mail server .1. Within the DMZ there are two servers: Web server .3 Destination IP: 192.3 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .1.1.254.1.1.2 Destination IP: 192.1 through to 192. a DMZ has been configured with a network address of 192.168.2 | Netmask: 255.2 and present an external IP address of 216. To configure this scenario: 1 First create the external aliases: Alias IP: 216.2 – This server will have an internal IP address of 192.1.3 and present an external IP address of 216.1.3 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.3 Destination IP: 192. it can support host IP addresses of 192.1.1.1.3.0/24.Appendix D Hosting Tutorials In this appendix: • Examples of hosting using Advanced Firewall.1. add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.

2 | Netmask: 255.1.168.100. It supports both HTTP and HTTPS.2 Source port: HTTPS (443) Destination port: HTTPS (443) Comment: Web Server .2 – This server will have an internal IP address of 192.e.168.100.1.1.4 – This server will have an internal IP address of 192. i.2 HTTPS Protocol: TCP External IP: 100.1.1.168. a DMZ has been configured with a network address of 192.2 Destination IP: 192.2 | Alias IP: 216.0/24 Source IP: 216.0 Comment: External Alias . It should only be accessible to external hosts in the range 100.3 Destination IP: 192.Extended Hosting Arrangement 3 Finally.2 Alias IP: 216.0.2 and present an external IP address of 216.3 and present an external IP address of 216.3 – This server will have an internal IP address of 192.1.4 | Netmask: 255.0 Comment: External Alias .1 through to 192.3 Source port: HTTP (80) 336 .3 2 Alias IP: 216.1. it can support host IP addresses of 192.3 | Alias IP: 216.100.1.1.168.1.1. add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.1.3 | Netmask: 255.2 Source IP: 192. Within the DMZ are three servers: Web server .1.0/24 and 100.1.4 Next.1.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216. Web server .255.4 To configure this scenario: 1 First create the external aliases: Alias IP: 216.4 and present an external IP address of 216.3 Comment: Mail Server .2.1.1. Mail server .1.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 Comment: Web Server .255.1.100.1.255.100.1.1.1.168.255.254.3 Extended Hosting Arrangement In this example.168.1.168.1.168.0/24.1.1.3.1.255.168.1.0 Comment: External Alias .168.2 Destination IP: 192.1.1.101.255.168.1. add the source mappings: Source IP: 192.

192.1.4 | Alias IP: 216.2.1.168.3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.4 More Advanced Hosting Arrangement In this example.254.1.1.168.1. bridged to SQL Server .2 Mail Server [int] .168.168.0.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .1.1.1.3 – External IP: 216.168.3 Destination IP: 192.1.168.1.3 Comment: Web Server .10.1.0/24 Source IP: 216.2 Comment: Web Server .1.4 Destination IP: 192.0/24 contains 5 servers: Web Server .1.1.168.1.168.3 | Alias IP: 216.10.10.1.168.1. 192. A local private network.3 Source IP: 192.4 POP3 Finally.1.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .1. restricted users.1. Web Server .1.5.1.1. a DMZ has been configured with a network address of 192.1.2 Source IP: 192.1.1.10.2 – Internal IP: 192.1.168.0/24 contains 3 servers: SQL Server .168.168. it can support host IP addresses of 192.3 HTTP Protocol: TCP External IP: 100.5 – External IP: 216.10.1.3 Intranet Web Server .1.4 Comment: Mail Server .1.168. Internal IP: 192.3. Internal IP: 192. A DMZ network.168.100.e. 337 . Internal IP: 192.5.Smoothwall Advanced Firewall Administrator’s Guide Destination port: HTTP (80) Comment: Web Server .2 | Alias IP: 216.3.6.4 – External IP: 216. Internal IP: 192.2.3 – Internal IP: 192.4 SMTP 3 Protocol: TCP External IP: <BLANK> Source IP: 216.168.168.2.1 through to 192.2 – External IP: 216. Virtual Web Server .4 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server . i.4.168. same physical host as Virtual Web Server . add the source mappings: Source IP: 192.4 Destination IP: 192.1.1.4.

168.1.7. in] – External IP: 216.10.255.1.6 2 Alias IP: 216. Internal IP: 192.1.1.255.0 Comment: External Alias . add the port forwards: Port forwards for example 3.168.255.1.255.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.1. Protocol: TCP External IP: <BLANK> Source IP: 216. Mail Server [ext.5. same physical host as Virtual Web Server .6 | Netmask: 255.6 – External IP: 216.1.168.4 Source port: HTTP (80) Destination port: HTTP (80) Comment: Intranet Web Server .5 | Netmask: 255.1.7 | Netmask: 255.1.3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.255.0 Comment: External Alias .1.1.0 Comment: External Alias .1.2 | Netmask: 255.255.1.6. Internal IP: 192.6. for outgoing mail.0 Comment: External Alias .1.1.7.2 Destination IP: 192.3.3 Destination IP: 192.3 | Netmask: 255.255.7 Next.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .More Advanced Hosting Arrangement Virtual Web Server .255.4 | Netmask: 255.255. relaying to Mail Server [int] .7.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .0 Comment: External Alias .0 Comment: External Alias .255.4 Destination IP: 192.168.5 Alias IP: 216.1.1.1.168.1.1.1.1.168. To configure this scenario: 1 First create the external aliases: Alias IP: 216.255. out] – External IP: 216.5.255. Internal IP: 192.1.1.4 Alias IP: 216. Mail Server [ext.2 Alias IP: 216.3 Alias IP: 216.4 HTTP Protocol: TCP 338 .1.

5 Destination IP: 192.7 Destination IP: 192.2 4 Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .1. add the source mappings: Source mapping for example 3.1.2 339 .7 Destination IP: 192.6 Destination IP: 192.1.168.7 Destination IP: 192.] .1.1. add the zone bridges: Zone bridging for example 3.168.6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.7 SMTP 3 Protocol: TCP External IP: <BLANK> Source IP: 216.1.168.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .3 Finally. 3306 Comment: Web Server .168.10.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .1.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .168.168.2 Destination IP: 192.1.168.5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.Smoothwall Advanced Firewall Administrator’s Guide External IP: <BLANK> Source IP: 216.1. Source IP: 192. Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.7 POP3 Next.2 to SQL Server .1.1.1.3 Destination port: SMTP (25) Comment: Mail Server [ext. in] .1.2 Comment: Web Server .2 Destination port: User defined.168.7 to Mail Server [int.1.2 | Alias IP: 216.1.1.10.168.

6 | Alias IP: 216.4 Source IP: 192.5 Comment: Virtual Web Server .1.10.1.3 Comment: Web Server .1.1.1.1.168.1.5 & .1.6 340 . out] .3 | Alias IP: 216.More Advanced Hosting Arrangement Source IP: 192.168.6 Comment: Mail Server [ext.168.1.5 | Alias IP: 216.4 Comment: Intranet Web Server .3 Source IP: 192.6 Source IP: 192.1.168.4 | Alias IP: 216.1.

programs. Access is only be granted when you use the two together. users and computers. Authentication The process of verifying identity or authorization. Active Directory Microsoft directory service for organizations. The policy explains the organization’s position on how its users should conduct communication within and outside of the organization both for business and personal use. ARP (Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses. 3DES A triple strength version of the DES cryptographic standard. Alias or External Alias – In Smoothwall terminology. ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses. AH sits between the IP header and datagram payload to maintain information integrity. 192-bit and 256-bit. AES supports key lengths of 128-bit. It contains information about organizational units. Measured in Bps 341 . used together with something you have. ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. In other words: 2-factor authentication is something you know. processes. A Acceptable Use Policy See AUP Access control The process of preventing unauthorized access to computers. B Bandwidth Bandwidth is the rate that data can be carried from one point to another. or systems. an alias is an additional public IP that operates as an alternative identifier of the red interface. AES provides high security with fast performance across multiple platforms. Algorithm In Smoothwall products. AH (Authentication Header) Forms part of the IPSec tunnelling protocol suite. but not secrecy. an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it.Glossary Numeric 2-factor authentication The password to a token used with the token. AUP (Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization’s email and Internet systems. usually using a 168-bit key. AES (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for DES and 3DES.

another computer or program. DHCP (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts joining a network. non-permanent network connection. or requesting the services of. Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server. Domain Controller A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. Certificate A digital certificate is a file that uniquely identifies its owner. Client Any computer or program connecting to. DNS (Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa. The receiving host typically slows to a halt while it attempts to respond to each request. BIN A binary certificate format. Cipher A cryptographic algorithm. 8-bit compatible version of PEM. Cracker A malicious hacker. DES (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today.(Bytes per second) or Kbps. responsible for issuing and managing x509 digital certificates. Ciphertext Encrypted data which cannot be understood by unauthorized parties. DER (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems. Cryptography The study and use of methods designed to make information unintelligible. 342 . Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. DMZ (Demilitarized Zone) An additional separate subnet. Ciphertext is created from plain text using a cryptographic algorithm. established using a modem. Dial-Up A telephone based. D Default Gateway The gateway in a network that will be used to access another network if a gateway is not specified for use. DES is scheduled for official obsolescence by the US government agency NIST. Denial of Service Occurs when a network host is flooded with large numbers of automatically generated data packets. C CA (Certificate Authority) A trusted network entity. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. This can be exploited by hackers to execute malicious code. Buffer Overflow An error caused when a program tries to store too much data in a temporary storage area. isolated as much as possible from protected networks.

H Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. Green In Smoothwall terminology. Hostname A name used to identify a network host. ESP (Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. HTTP (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web. See NIST. Host A computer connected to a network. phrases. G Gateway A network point that acts as an entrance to another network. Firewall A combination of hardware and software used to prevent access to private network resources. email client and groupware applications (such as shared calendars). 343 . domains. Hub A simple network device for connecting networks and network hosts.Smoothwall Advanced Firewall Administrator’s Guide Dynamic token A device which generates one-time passwords based on a challenge/response procedure. F Filter A filter is a collection of categories containing URLs. lists of file types and replacement rules. Exchange Server A Microsoft messaging system including mail server. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. FIPS Federal Information Processing Standards. Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. green identifies the protected network. E Egress filtering The control of traffic leaving your network. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. HTTPS A secure version of HTTP using SSL.

L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. The longer the key length (in bits). Lockout A method to stop an unauthorized attempt to gain access to a computer. K Key A string of bits used with an algorithm to encrypt and decrypt data. LAN (Local Area Network) is a network between hosts in a similar. IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. IPSec (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). After three attempts. the greater the key space. Kernel The core part of an operating system that provides services to all other parts the operating system. For example. IDS Intrusion Detection System Internet Protocol IPS Intrusion Prevention System IP Address A 32-bit number that identifies each sender and receiver of network data. M MAC Address (Media Access Control) An address which is the unique hardware identifier of a NIC.I ICMP (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. the key determines the mapping of plaintext to ciphertext. developed by Cisco Systems. that a requested service is not available or that a host or router could not be reached. leased and managed by a telephone company. ISP An Internet Service Provider provides Internet connectivity. L L2F (Layer 2 Forwarding) A VPN system. Key space The name given to the range of possible values for a key. MX Record 344 (Mail eXchange) An entry in a domain name database that specifies an email server to . localized geography. for example. a three try limit when entering a password. Given an algorithm. Leased Lines (Or private circuits) A bespoke high-speed. It is chiefly used by networked computers' operating systems to send error messages indicating. high-capacity site-to-site network that is installed. The key space is the number of bits needed to count every distinct key. IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. the system locks out the user.

Port 80 is the HTTP port. N NAT-T (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. NTP (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers. PKI (Public Key Infrastructure) A framework that provides for trusted third party vetting of. user identities. to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization. should a key currently in use be compromised. and binding of public keys to users. O OU An organizational unit (OU) is an object used to distinguish different departments. NIC Network Interface Card NIST (National Institute of Standards and Technology) NIST produces security and cryptography related standards and publishes them as FIPS documents. used to authenticate a user as authorized to access a computer or data. Ping A program used to verify that a specific IP address can be seen from another. It is a more effective solution than IPSec Passthrough. PEM (Privacy Enhanced Mail) A popular certificate format. sites or teams in your organization. used to secure previous VPN communications. and vouching for. Perfect Forward Secrecy A key-establishment protocol. P Password A protected/private string of characters. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to 345 . known only to the authorized user(s) and the system. Port A service connection point on a computer system numerically identified between 0 and 65536.Smoothwall Advanced Firewall Administrator’s Guide handle a domain name's email. optionally time settings and authentication requirements. PKCS#12 (Public Key Cryptography Standards # 12) A portable container file format for transporting certificates and private keys. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. The public keys are typically in certificates. Policy Contains content filters and. or ciphertext that has been decrypted. Plaintext Data that has not been encrypted. PFS See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement.

PuTTY A free Windows / SSH client. RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Private Key A secret encryption key known only by its owner. PPTP (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be relatively insecure. PSK (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching process to determine authenticity. Only the corresponding public key can decrypt messages encrypted using the private key. Routing Table A table used to provide directions to other networks and hosts. PPP (Point-to-Point Protocol) Used to communicate between two computers via a serial interface. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. rules are used to determine what traffic is allowed to move from one network endpoint to another. Usually has a dynamic IP address. Proxy An intermediary server that mediates access to a service. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. Q QOS (Quality of Service) In relation to leased lines. Protocol A formal specification of a means of computer communication. It should 346 . Road Warrior An individual remote network user. QOS is a contractual guarantee of uptime and bandwidth. standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's private key. S Security policy A security policy is a collection of procedures. red is used to identify the Unprotected Network (typically the Internet). Private Circuits See Leased Lines. typically a travelling worker 'on the road' requiring access to a organization’s network via a laptop. A public key can be used to send a private message to the public key owner. RAS has been largely superseded by VPNs. R RAS (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users.another interface and port combination. Rules In firewall terminology. Route A path from one network point to another. Red In Smoothwall.

instant messaging. SIP (Session Initiation Protocol) A protocol for initiating. Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. modifying. usually unsolicited. Syslog A server used by other hosts to remotely record logging information. Commonly used in VOIP applications. typically between two business sites. account and logging policies. in practice. and terminating an interactive user session that involves multimedia elements such as video. U User name / user ID A unique name by which each user is known to the system. and virtual reality. administrator and user rights and define what behavior is and is not permitted. 347 .Smoothwall Advanced Firewall Administrator’s Guide include password. a computer that provides shared resources to network users. Server In general. Site-To-Site A network connection between two LANs. SSL A cryptographic protocol which provides secure communications on the Internet. Spam Junk email. Tunneling The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. it becomes impossible to break the system within a meaningful time frame. SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. voice. SSH (Secure Shell) A command line interface used to securely access a remote computer. Squid A high performance proxy caching server for web clients. SSL VPN A VPN accessed via HTTPS from any browser (theoretically). by whom and under what circumstances. T Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. VPNs require minimal client configuration. online games. Usually uses a static IP address. Subnet An identifiably separate part of an organization’s network. Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. Strong encryption A term given to describe a cryptographic system that uses a key so long that. Switch An intelligent cable junction device that links networks and network hosts together.

V VPN (Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network. VPN Gateway An endpoint used to establish. 348 . X X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. manage and control VPN connections. such as the global Internet.

193 choosing 302 diagnostics 193 mechanisms 301 time-out 193 automatic whitelisting 95 io A B banned users 216 black-list users 95 bond 34 bridge 33 bridging groups 63 rules 59 zones 59 byod 213 C ca 14. power supply status warning 228 vpn tunnel status 228 application helper 70 ftp 70 h323 passthrough support 70 irc 70 pptp client support 70 archives 13 arp filter 54 arp table size 54 audit 55 authentication 9. 228 administration login failures 228 email 257 email to sms 257 email virus monitor 228 external connection failover 228 firewall notifications 228 hardware failover notification 228 hardware failure alerts 228 health monitor 228 inappropriate words in im 228 intrusion detection system monitor 229 l2tp vpn tunnel status 228 license expiry status 228 output system test messages 228 settings 5 smoothrule violations 228 smoothtunnel vpn certificate monitor 228 system boot (restart) notification 229 system resource monitor 228 system service monitoring 228 traffic statistics monitor 228 update monitoring 229 ups. 128. 15 censoring 95 central management 291 about 291 pre-requirements 291 central management key 293 centrally manage 291 349 .Index 1s t Ed n it accessing 4 active directory cache timeout 196 domain 196 extra realm 203 password 196 status 196 tenants 196 username 196 active directory legacy cache timeout 201 discover kerberos realms through dns 202 extra group search roots 202 extra realms 203 extra user search roots 202 kerberos realm 201 netbios domain name 202 password 201 port 202 sam account name 202 server 201 server username 201 status 201 tenants 201 user search root 202 admin 3 admin options 14 administration 14 administration login failures 228 administrative users 14 adsl modem settings 28 advanced 8 AIM 95 aim 95 alert im proxy monitored word 228 alerts 5.

78 editing 79 removing 79 F Ed certs 15 ca 14 child node 293 cluster 291 configuration tests 14 connection methods 20 dial-up modem 30 ethernet 20 ethernet/modem hybrid 20 isdn modem 28 modem 20 connection profiles 20 creating 20 deleting 33 modifying 33 connection tracking 54 connections 19 connectivity 7 console connecting via 17 control 15 control page 4 create 5 csv 295 importing nodes 295 csv files 295 custom categories 11 custom signatures 118 failover 14. 15 group bridging 7. 280 failover unit 283 master 281 filtering 7 filters 11 firewall 5. 217 unauthenticated ips 216 H h323 passthrough support 70 hardware 14 failover 280 hardware Failover 279 hardware failover notification 228 hardware failure alerts 228 health monitor 228 . 99 G gadugadu 95 global 12. 193 dial-up modem 30 directories 9 directory settings 194 prerequisites 195. 9. 279. 105 dynamic 11 proxy 11 proxy service 106 350 static 11. 199.Index t D 1s database 224 settings 6 datastore 224 deep packet inspection 74 default interface 20 users 216 denial of service 52 detection policies 114 dhcp 12 custom options 12 leases 12 relay 12 server 12 dhcp ethernet 22 settings 23 diagnostics 14. 6 email to sms 257 email virus monitor 228 enable arp filter 54 ethernet 20 External 228 external access 14 aliases 7 external connection failover 228 external services 8. 200 dns 11. 70. 105 documentation 1 DoS 53 dpi 74 E it io n ECN 54 email 5. 216 banned users 216 default users 216 mapping 205 network administrators 216 renaming 216. 63 groups 6. 6 accessing browser 4 connecting 17 notifications 228 firmware upload 14 ftp 10.

69 ipsec 5.Smoothwall Advanced Firewall Administrator’s Guide defining 43 block 7 tools 14 ips 6. 11 igmp 53 IGMP packets 53 im 93 hide conversation text 95 proxy 5 im proxy 6 inappropriate words in im 228 information 4 instant messenger 9. 6 roadwarriors 15 subnets 15 irc 70 isdn modem 28 settings 29 isp 20 heartbeat 279 hide conversation text 95 hostname 13 https 4 hybrid 20 I J K t 1s n jabber 95 io kerberos keytabs 9 L l2tp roadwarriors 15 l2tp vpn tunnel status 228 layer 7 application control 74 ldap directory bind method 197 cache timeout 198 discover kerberos realms through dns 199 extra group search root 198 extra realms 199 extra user search roots 198 group search roots 198 kerberos realm 197 password 197 port 198 server 197 status 196 tenants 197 user search root 198 username 197 license expiry status 228 licenses 13 local users 203 activity 208 adding 204 configuring 203 deleting 205 editing 205 managing 204 status 203 tenants 203 log retention 224 log settings 6 logs 6 email 245 enable remote syslog 252 remote syslog server 252 it Ed icmp 53 ICMP ping 53 ICMP ping broadcast 53 ICQ 95 ids 6. 93 block file transfers 95 blocked response 95 blocked response message 95 censor 95 intercept ssl 95 logging warning 95 logging warning message 95 protocols aim 95 gadugadu 95 icq 95 jabber 95 msn 95 proxy 93. 94 instant messenger proxy enable 94 enabled on interfaces 95 exception local IP addresses 96 interface bond 34 bridge 33 interfaces 7 internal aliases 7 inter-zone security 59 intrusion detection 11 intrusion detection system 11 intrusion system 114 custom policies 117 detection policies 114 policies 114 prevention policies 115 intrusion system monitor 229 ip address 351 .

8 source mapping 46 node 297 add 294 child 293 child delete 297 child edit 296 configure child 13 csv 295 delete 297 disable 299 edit 296 import 295 local settings 13 manage 297 monitor 297 parent 292 reboot 299 review 297 update 299 O OpenVPN 162 outbound access port rules 72 source rules 76 outgoing 8 output settings 6 output system test messages 228 P pages central management 13 info 352 alerts 5 alerts 5 custom 5 logs 6 firewall 6 ids 6 im proxy 5. 6 ips 6 ipsec 6 system 6 web proxy 6 realtime 5 firewall 5 ipsec 5 portal 5 system 5 traffic graphs 5 reports reports 5 saved 5 scheduled reports 5 settings alert settings 5 database settings 6 groups 6 log settings 6 output settings 6 information 4 logs and reports settings datastore 224 main 4 networking 6. 20 settings 31 modules 13 MSN 95 multicast traffic 53 1s t Ed it N network administrators 216 interface 19 networking 6.Index retention 252 M io n mac spoof 23 maintenance 13 master 281 message censor 11 custom categories 11 filters 11 time 11 Microsoft Messenger 95 modem 14. 8 filtering 7 group bridging 7 ip block 7 zone bridging 7 firewall 8 advanced 8 port forwarding 8 source mapping 8 interfaces 7 connectivity 7 external aliases 7 interfaces 7 internal aliases 7 ppp 8 secondaries 8 outgoing 8 external services 8 policies 8 ports 8 routing 7 ports 7 rip 7 .

78 editing 75.Smoothwall Advanced Firewall Administrator’s Guide 1s t io n whois 14 hardware 14 failover 14 firmware upload 14 modem 14 ups 14 maintenance 13 archives 13 licenses 13 modules 13 scheduler 13 shutdown 13 updates 13 preferences 13 hostname 13 registration options 13 time 13 vpn 15 ca 15 certs 15 control 15 global 15 ipsec roadwarriors 15 ipsec subnets 15 l2tp roadwarriors 15 ssl roadwarriors 15 parent node 292 passwords 3 policies 11. 78 modes 72 preset 72 it Ed sources 7 subnets 7 settings advanced 8 port groups 8 services 8 authentication 9 directories 9 groups 9 kerberos keytabs 9 settings 9 ssl login 9 temporary bans 9 user activity 9 wpa enterprise 9 dhcp dhcp custom options 12 dhcp leases 12 dhcp relay 12 dhcp server 12 global 12 dns 11 dns proxy 11 dynamic dns 11 static dns 11 ids 11 intrusion system detection 11 policies 11 signatures 11 message censor 11 proxies 9 ftp 10 im proxy 9 sip 10 web proxy 9 snmp 11 user portal 9 groups 9 portals 9 user exceptions 9 system administration 14 admin options 14 administrative users 14 external access 14 central management child nodes 13 local node settings 13 overview 13 diagnostics 14 configuration tests 14 diagnostics 14 ip tools 14 traffic analysis 14 353 . 114 intrusion 114 outgoing 8 port forwarding 8 port forwards 67 comment 69 creating 68 criteria 67 destination address 69 destination port 69 editing 69 enabled 69 external ip 68 ips 69 logging 69 protocol 68 removing 69 source IP 69 source port 69 user defined 69 port groups 8 port rules 72 creating 73 deleting 75.

105 dns proxy 106 dynamic dns 107 ids 11 intrusion system 114 message censor 11 portal 9 rip 40 sip 96 snmp 11. 46 source rules 76 sources 7 ssh 17 client 17 SSL 162 ssl login 9 accessing the page 210 customizing 209 exceptions 211 ssl roadwarriors 15 static ethernet settings 22 subnets 7 it Ed viewing 75 portal 5. 193 dhcp 12. 10 violations alert 228 rip 7 routing 7 rules dynamic host 107 354 scheduled reports 5 scheduler 13 secondaries 8 secondary dns 20 selective ACK 54 services authentication 9. 119 dns 11. 6 reboot 299 registration options 13 reports 5. 236 access 86 configure 81 delete 86 edit 86 groups 85 policy tester 83 user except 85 portals 9 ports 7. 8 ppp 8 ppp over ethernet settings 25 ppp profile creating 31 pptp client support 70 pptp over ethernet settings 26 preferences 13 prevention policies 115 primary dns 20 proxies 9 dns 106 sip 96 proxy ftp 99 .Index external access 273 external service 78 group bridging 63 internal alias 47 ip blocking 51 port 43 port forward 67 source 76 source mapping 46 subnet 39 zone bridging 59 S t n io R 1s radius action on login failure 200 cache timeout 200 identifying IP address 200 obtain groups from radius 200 port 200 secret 199 server 199 status 199 tenants 199 realtime 5 email 5. 96 types 96 site address 18 smoothrule violations 228 smoothtunnel vpn certificate monitor 228 snmp 11. 9. 104 snmp 11 source mapping 8. 219 custom 5 database 224 reports 5 scheduled 5 reverse proxy 6. 9 shutdown 13 signatures 11 sip 10. 104 settings 6. 127.

9 white-list users 95 whois 14 window scaling 54 wpa enterprise 9. 6 system boot (restart) notification 229 system resource monitor 228 system service monitoring 228 W web proxy 6. 59 Ed TCP timestamps 54 telephony settings 32 temporary ban 206 temporary bans 9 tenants 275 time 13 time out 193 time slots 11 time-out 302 traffic analysis 14 graphs 5 traffic statistics monitor 228 training 1 tutorial vpn 178 zone bridging 61 U 1s t unauthenticated ips 216 unknown entity 18 updates 13 ups 14. 213 T Y yahoo 95 Z it io n zone bridge narrow 59 rule create 59 settings 60 tutorial 61 wide 59 zone bridging 7.Smoothwall Advanced Firewall Administrator’s Guide vpn tunnel status 228 SYN backlog queue 54 SYN cookies 54 SYN+FIN packets 53 system 5. power supply status warning 228 url test tool 83 user activity 9. 127 authentication 128 psk 129 x509 129 355 . 277 ups. 208 identity 301 user exceptions 9 users banned 216 default 216 local 204 network administrators 216 temporary ban 206 unauthenticated IPs 216 V virtual lans 36 vlan 36 voip 96 vpn 15.

1s t Ed it io n Index 356 .

Smoothwall Advanced Firewall Administrator’s Guide 357 .